Australia's Notifiable Data Breaches (NDB) scheme has been in force since 2018, but every year the OAIC reports that most notifications miss the 30-day deadline. Here's the step-by-step playbook — and what happens if you get it wrong.

When the NDB scheme applies

You must notify the OAIC and affected individuals if there's an "eligible data breach" — meaning personal information has been lost, accessed without authorisation, or disclosed, AND the breach is likely to result in "serious harm" to the individuals affected.

"Serious harm" is broadly defined — psychological, emotional, physical, reputational, economic, and financial harm all count. The threshold is not high.

The 30-day clock

You have 30 days from the point you become aware of a suspected eligible breach to complete an assessment and (if it's confirmed) issue notifications. The 30 days is calendar days, not business days. It includes weekends, public holidays, and Christmas.

Most organisations think they have plenty of time. Then they realise the first week is lost to internal investigation, the second week to legal review, the third to drafting notifications, and suddenly they're on day 25 trying to get sign-off from a partner who's on leave.

The three-phase process

Phase 1: Contain. Stop the bleeding. Revoke access, close the gap, preserve evidence. Don't delete anything that might be needed for the investigation.

Phase 2: Assess. Work out what information was exposed, to whom, and whether serious harm is likely. Document your reasoning — you may need to defend it to the OAIC later. If you decide the harm isn't serious, you still need records showing how you reached that conclusion.

Phase 3: Notify. If notification is required, you need to tell: the OAIC (via their online form), and each affected individual. The notification must include a description of the breach, the information involved, the steps the individuals should take, and your contact details.

What notification looks like in practice

The OAIC form is straightforward. The individual notifications are harder. They must be direct (email, letter, or phone), not posted on a website as a notice. The language must be clear — legal boilerplate doesn't meet the standard. You must offer affected individuals a way to contact you with questions.

What happens if you miss the deadline

The OAIC can issue infringement notices, start enforcement action, or seek civil penalties. In egregious cases the penalties reach $2.5m for individuals and $50m for bodies corporate. More commonly, the consequence is public enforcement notices that name the organisation — which has its own reputational cost.

Have a plan before you need it

The single best thing you can do is document your breach response process before you need it. Who leads? Who approves notifications? Where are the evidence-preservation procedures? A 30-minute dry-run exercise saves weeks of panic when it actually happens.