All articles
Compliance7 min read

Privacy Act Reforms 2026: What Changes for Broker CRMs

CRMandGo Team · 1 March 2026

The Australian Government's reforms to the Privacy Act 1988 introduce new rights for individuals, tighter data handling obligations for businesses, and increased penalties for non-compliance. For mortgage brokers who collect sensitive financial and personal information daily, these reforms have direct implications for how your CRM stores, processes, and protects client data.

Key reforms affecting brokers

  • Right to erasure, clients can request deletion of their personal data
  • Mandatory data breach notification within 72 hours
  • Strengthened consent requirements for data collection and use
  • Higher penalties for privacy breaches (up to $50 million or 30% of turnover)
  • New obligations for automated decision-making transparency

CRM readiness checklist

Your CRM must support: data export on client request (portability), data deletion workflows that respect retention obligations (NCCP requires 7-year retention, so deletion requests need careful handling), consent tracking with timestamps, and breach notification workflows. If your CRM can't demonstrate these capabilities, you're exposed under the new penalties.

Balancing privacy with compliance retention

The tension between 'right to erasure' and NCCP's 7-year retention requirement is real. Brokers can't simply delete all client data on request, they have a legal obligation to retain records of credit assistance. The solution is selective deletion: remove marketing-related data and communication preferences immediately, while retaining compliance-mandated records with clear legal basis documentation.

Frequently asked questions

Can a client force me to delete all their data?
Not entirely. While the Privacy Act reforms introduce a right to erasure, brokers have a competing obligation under the NCCP Act to retain credit records for 7 years. You must delete marketing data and unnecessary personal information, but compliance records can be retained with documented legal basis.
What are the penalties for privacy breaches under the reforms?
Penalties increase to the greater of $50 million, three times the value of the benefit obtained, or 30% of the company's adjusted turnover. For small brokerages, OAIC enforcement actions are more likely to involve undertakings and audits than maximum fines, but the reputational damage is equally serious.
Does my CRM need to support data portability?
Yes. Under the reforms, individuals have the right to receive their personal data in a commonly used, machine-readable format. Your CRM should support data export per client in standard formats (CSV, JSON) to facilitate portability requests.

Ready to see it in action?

CRMandGo is built for Australian brokers. Start your free trial, no credit card, no lock-in.

Start free trial