AI Readiness Checklist for Australian Businesses

This checklist is designed for Australian small and medium businesses considering AI tool deployment for the first time, or evaluating whether their current use of AI tools is on solid foundations. It covers five readiness areas. Work through each section and note where your business has gaps before expanding AI use further.

None of the items in this checklist constitute legal or compliance advice. Where privacy obligations are mentioned, the OAIC's published guidance is the authoritative reference. For sector-specific obligations (financial services, healthcare, legal), consult the relevant regulator or adviser.

Area 1: Data Governance

AI tools are only as useful as the data and information you feed into them. Before deploying AI at scale, assess whether your data practices are in order.

• You know what data your business holds. Do you have a basic inventory of what customer, employee, and operational data your business stores, and where it lives? AI tools that are connected to business data (via integrations or file uploads) will access whatever is in scope. Knowing what you have is the prerequisite to controlling what goes in.
• Your data is reasonably accurate and current. AI tools used for analysis or decision support are unreliable when the underlying data is outdated or inconsistent. If customer records, pricing data, or operational figures are not maintained, fix that before using AI to analyse them.
• You know where sensitive data is stored. Customer personal information, employee records, financial data, and health information (if applicable) should be identifiable and segregated where possible. Staff should not be in a position to accidentally paste sensitive records into an AI tool without knowing what they are doing.
• You have a basic data retention policy. You know roughly how long different types of data are kept and who is responsible for deleting it. This is relevant to both privacy compliance and to what material might inadvertently enter AI tools.

Area 2: Staff Readiness

Technology readiness is less important than people readiness. Most AI-related data incidents in businesses come from staff using tools without understanding the implications.

• Staff who will use AI tools know what the tools do with their data. Can your staff answer the question: does this AI tool train on my conversations? If not, they are using the tool without understanding a basic characteristic of it. This does not require technical training. It requires access to the vendor's privacy policy and a brief explanation of what it means.
• Staff know what types of information should not go into AI tools. Client personal information, financial data, legally privileged communications, confidential commercial terms. These categories should be defined and communicated, not assumed.
• There is a nominated person responsible for AI tool decisions. In a small business, this is often the owner or a senior manager. In a larger business, it may be an IT or operations lead. Someone should be accountable for deciding which tools are approved, what they can be used for, and what the response is when something goes wrong.
• Staff know what to do if they make a mistake. If an employee accidentally uploads a client file to an AI tool, is there a process for reporting it? Even a simple "tell your manager immediately" is better than nothing. AI incidents that are caught early are easier to manage.

Area 3: Policy and Documentation

A written AI policy does not need to be long or complex. Its purpose is to make decisions once rather than having staff make inconsistent decisions repeatedly.

• You have a written AI usage policy. The policy should cover: which tools are approved for use, what categories of data can and cannot go into those tools, what requires human review before use, and who to contact with questions or incidents. A one-page document is sufficient for most small businesses. Our free AI staff policy template is a starting point.
• The policy has been communicated to all staff who use AI tools. A policy that exists but has not been shared is not a policy in practice. A brief verbal walkthrough plus a written copy is the minimum.
• The policy specifies approved tools and plans. Not all plans of a tool are equivalent. ChatGPT Plus and ChatGPT Team have different data handling defaults. The policy should name the specific plan that is approved, not just the tool name.
• There is a process for adding new AI tools. Staff will find new AI tools regardless of whether you have a formal process. A lightweight approval step (describe the tool and its data handling to the nominated person before using it for work) is better than no process at all.

Area 4: Privacy and Compliance Obligations

Privacy Act compliance is the most commonly overlooked dimension of AI readiness for Australian businesses.

• You understand whether the Privacy Act applies to your business. The Privacy Act 1988 applies to businesses with annual turnover above $3 million, and to certain categories of business regardless of size (including health service providers and operators of certain sensitive information businesses). From late 2024, small businesses below the turnover threshold that misuse personal information can also face regulatory scrutiny under new provisions. The OAIC website describes who the Act applies to: oaic.gov.au.
• You are aware of APP 8 (cross-border disclosure). When your business sends personal information to an overseas recipient. Including a US-based AI tool. APP 8 applies if the Privacy Act covers your business. APP 8 requires reasonable steps to ensure the overseas recipient complies with the APPs, or individual consent to the disclosure. The OAIC has published guidance on this obligation: OAIC: Sending personal information overseas.
• Your privacy policy reflects current AI tool use. If your business uses AI tools that process personal information, and your privacy policy does not disclose this, consider whether an update is warranted. APP 1 requires businesses to maintain an up-to-date privacy policy that includes information about the kinds of personal information collected and how it is handled.
• You have considered sector-specific obligations. Businesses in financial services, healthcare, legal services, and education have obligations beyond the Privacy Act. If your business is in a regulated sector, verify that your AI tool use is consistent with sector-specific requirements before expanding it.

Area 5: IT Infrastructure

Most AI tools used by small businesses are cloud-based SaaS products that require no significant IT infrastructure. But some integration and security basics apply regardless.

• Access to AI tools is managed per user, not shared. Shared login credentials for AI tools make it impossible to know who did what, and create risk when staff leave. Individual accounts with managed credentials (via a password manager) are the baseline.
• You have a password manager for managing AI tool access. Tools like 1Password Teams (~AUD $6/user/month) allow shared access to AI tool accounts without sharing the actual credentials, and let you revoke access when staff leave without changing every password manually.
• You understand what integrations your AI tools have or could have. Some AI tools offer integrations with your business software (CRM, email, document storage). Each integration is a potential data pathway. Before enabling integrations, understand what data flows from your business systems to the AI tool.
• You have considered what happens when an AI tool goes down or is discontinued. If a business process depends on an AI tool, what is the fallback? Tools are discontinued, pricing changes, or services become unavailable. Processes that rely entirely on AI tools without a human fallback carry continuity risk.

Scoring Your Readiness

There is no single score that determines AI readiness. The checklist is most useful when used to identify specific gaps rather than as a pass/fail test. A business that scores well on data and IT but has no written policy is not ready to expand AI use to sensitive workflows. A business with a strong policy but unexamined APP 8 obligations should address the privacy gap before processing personal information through AI tools.

As a rough guide:

• All items checked: Your foundations are solid. Expand AI use with ongoing awareness of how tools and regulations are changing.
• Most items checked, 1-3 gaps: Address the specific gaps before expanding AI use into new areas or higher-sensitivity workflows.
• More than 3 gaps: Prioritise the policy and staff communication items first (Area 3 and Area 2). These have the highest impact per hour of effort. Then work through data and privacy gaps.
• Significant gaps in Area 4 (Privacy): If your business is subject to the Privacy Act and is already using AI tools that process personal information without having assessed APP 8, consider whether to pause that use until the obligation is understood. The OAIC guidance is the starting point.

What to Do Next

The most common next steps after completing this checklist:

• Write or update your AI policy: Our free AI staff policy template provides a starting framework that covers approved tools, data handling rules, and incident reporting. It is designed for Australian small businesses and can be adapted for most SMB contexts.
• Brief staff on what is and is not allowed: A 15-minute team conversation covering the approved tools, what data cannot go into them, and what to do if something goes wrong is more valuable than a lengthy policy document that no one reads.
• Assess your Privacy Act position: If you are not sure whether the Privacy Act applies to your business or how APP 8 applies to your specific AI tool use, the OAIC website is the starting point. For a formal assessment, consult a privacy adviser.
• Build a simple AI pilot before scaling: If you have not yet deployed AI tools at scale, start with a pilot covering one workflow, one team, and defined success criteria. Our guide to running an AI pilot covers this process: How to Run an AI Pilot in Your Business.

Related reading: our can staff upload customer data to AI tools and our AI and the Privacy Act guide.

How do I know if my business is ready for AI?

Readiness comes down to five areas: whether your data is in order, whether staff understand what they can and cannot do with AI tools, whether you have a written AI policy, whether you have assessed your Privacy Act obligations, and whether your IT infrastructure supports the tools you want to use. A business does not need to be perfect across all five areas to start using AI tools. But knowing where the gaps are lets you manage the risk while you address them.

Do Australian businesses need a written AI policy?

There is no legal requirement for most businesses to have a written AI policy. However, a written policy. Even a one-page document. Is the most effective way to ensure staff use AI tools consistently and understand what is not allowed. Without a policy, each staff member makes their own judgement about what is acceptable, and those judgements will differ. The Law Council of Australia has encouraged professional services firms to implement AI policies. Our free AI staff policy template provides a starting framework.

What is the most common AI readiness gap for small Australian businesses?

The most common gaps are: staff using AI tools (including the consumer version of ChatGPT) without understanding the data handling implications, no written policy specifying what is and is not allowed, and no assessment of Privacy Act APP 8 obligations when personal information about customers or employees is being processed through US-hosted AI tools. These three gaps appear together more often than not, and they can all be addressed without significant cost or technical complexity.

Does the Privacy Act apply to small businesses using AI tools?

The Privacy Act 1988 generally applies to businesses with annual turnover above $3 million. Businesses below this threshold are typically exempt from most of the Act's requirements, though exceptions apply (health service providers, businesses that trade in personal information, and others). From late 2024, small businesses that misuse personal information can face consequences under expanded provisions. If you are unsure whether the Act applies to your business, the OAIC's guidance on who the Act applies to is the starting point: oaic.gov.au.

How long does it take to prepare a business for AI tool deployment?

For a small business with no existing AI policy and basic data practices already in place, the core readiness steps. Writing a policy, briefing staff, and assessing privacy obligations. Typically take two to four hours of focused effort. The IT infrastructure steps (setting up individual accounts, implementing a password manager) add another two to four hours. Larger businesses with more complex data environments, regulated industry obligations, or a larger staff population will take longer. Readiness is not a one-time exercise: AI tools change, regulations evolve, and staff turn over, so policy and training should be reviewed annually at minimum.