I had a chat recently with a business owner who runs a tidy operation — about fifteen staff, healthy margins, the sort of place that quietly does well without ever making noise. Halfway through, I asked how they were tracking on privacy and security obligations. The answer was a laugh and a wave of the hand. “Mate, we’re too small for anyone to care about that.”
I’ve heard that line more times than I can count. And I understand why people say it. When you’re flat out keeping the lights on, compliance feels like a problem reserved for the big end of town — banks, hospitals, listed companies with legal departments. The trouble is, that comfortable assumption is quietly expiring, and most small businesses haven’t noticed.
The rules are walking towards you, not away
For years, smaller organisations sat below the threshold of most privacy regulation. That gap is closing. Governments around the world are tightening data protection laws and shrinking the carve-outs that used to let small businesses off the hook. Here in Australia, the conversation about extending privacy obligations to organisations that were previously exempt has been building for a while, and it isn’t going to reverse.
So the question isn’t whether regulation reaches your business. It’s whether you’ll be ready when it does, or scrambling because you assumed it never would.
What strikes me is how avoidable the scramble is. A lot of what compliance asks for is simply knowing what data you hold, where it lives, who can touch it, and what happens if it walks out the door. If you’re running Microsoft 365, you already have the tools to answer those questions. Microsoft Purview can show you where sensitive information sits across your tenant and flag where it’s being shared in ways it shouldn’t be. That’s not a future purchase. For most small businesses, it’s sitting in a licence you already pay for and have never switched on.
Cyber insurance is doing the regulating for now
Here’s the part that catches people off guard. While the laws are still catching up, your insurer has already arrived. The renewal questionnaire for cyber insurance has become a de facto compliance audit, and it’s getting longer every year.
Do you enforce multi-factor authentication? Do you have email filtering? Are backups tested? Who has administrator access? I’ve watched owners stare at these forms with genuine surprise, because nobody warned them that a policy renewal would turn into a security interrogation. And the consequences are real — answer loosely, suffer an incident, and you may find the claim contested because the controls you ticked weren’t actually in place.
This is where I tell people to stop treating the questionnaire as paperwork and start treating it as a checklist worth acting on. Turn on MFA through Entra. Tighten who holds admin rights. Confirm your data is actually backed up, not just assumed to be. None of this is exotic. It’s the same hygiene the regulators will eventually demand, so you may as well do it now while an insurer is the one asking.
Where to start when it feels like too much
The reason this conversation gets avoided is that it feels enormous — like you’d need to stop everything and become a compliance expert overnight. You don’t. You need to start, and starting is smaller than you think.
This is one of those tasks where I’ve found Copilot genuinely useful. Ask it in Word to draft a plain-English data handling policy based on what your business actually does, then refine it. Ask Copilot to summarise the key obligations from a privacy guidance document you’ve been meaning to read for six months. Use it to turn that intimidating insurance questionnaire into a list of specific actions, each owned by someone, tracked in Planner. Suddenly the mountain is a series of steps, and steps are doable.
The point isn’t to achieve perfect compliance by Friday. It’s to be able to show, honestly, that you’ve thought about this and you’re doing something — because “we’re too small to matter” is not a defence that ages well.
The compliance conversation you’re avoiding doesn’t disappear when you ignore it. It just waits, and it tends to introduce itself at the worst possible moment — mid-breach, mid-claim, mid-audit. Far better to have the conversation now, on your own terms, with a coffee in hand and nothing actually on fire. That’s a much nicer way to meet it.
CIAOPS 