Sole Trader, Pty Ltd or Trust? How Your Business Structure Determines How Much You Could Lose in a Data Breach

Graham Slater • June 24, 2026

Not All Gym Owners Face the Same Risk

Two gym owners could be running almost identical operations — same number of members, same software platforms, same types of data collected — and face completely different levels of personal financial risk in the event of a data breach or regulatory fine. The difference comes down to how their business is structured.

Business structure is one of the most important but underexplored dimensions of privacy and cyber risk management. Most conversations about data protection focus on technical measures like MFA and encryption, or on insurance products that provide a financial backstop. Both of those things matter. But if your business structure means your personal assets are directly exposed to business liabilities, you need to understand that exposure before anything else.

Sole Traders and Partnerships: Maximum Exposure

A sole trader or partnership has no legal separation between the business and the individual. From the law's perspective, there is no company — there is only you. Every asset you personally own, including your home, vehicle, savings accounts, and investments, is part of your financial picture if a legal judgment or regulatory fine is issued against your business.



Under the 2026 Privacy Act enforcement framework, a sole trader gym owner who suffers a data breach resulting in a serious OAIC finding could face personal fines of up to $2.5 million, civil claims from members under the Statutory Tort for Serious Invasion of Privacy, and the full cost of legal defence without any corporate shield to protect personal assets.


This is not a hypothetical scenario constructed to frighten people. It is the direct, practical consequence of the legal structure that most small gym and dojo operators choose when they start out — because it is simple, cheap, and involves minimal administrative overhead. The privacy and cyber risk landscape has changed dramatically since most of them made that choice.

Company (Pty Ltd): Partial Protection

Operating as a proprietary limited company creates a legal separation between the business entity and its directors and shareholders. In theory, the company's liabilities stay with the company — the directors' personal assets are protected. In practice, the protection is more nuanced.

Directors of a Pty Ltd company can still be found personally liable if they are judged to have been negligent in their governance of the company's data practices. This means that if a breach occurs and it is established that the directors failed to implement basic, universally recommended cybersecurity controls — like MFA, regular security audits, or staff training — the corporate shield does not automatically protect their personal assets.

The 2026 ASIC enforcement landscape reinforces this. Australian Securities & Investments Commission (ASIC) has been increasingly active in pursuing directors personally for failures in operational risk management, including cyber risk. Directors have a duty to their company that includes ensuring basic systems for managing material business risks are in place. Cyber risk is now firmly in that category.

Company Plus Trust: The Strongest Structure

A company structure operating within a discretionary trust arrangement provides the highest level of asset protection available to a small business operator. Under this structure, the assets of the business (and personal assets held within the trust) are separated from the legal liabilities of the operating company.


If the operating company faces a regulatory fine or civil lawsuit, the assets held in the trust are generally protected from seizure, provided the trust is properly established and maintained. This structure is more complex and more expensive to set up and administer than a simple Pty Ltd, but for business owners with significant personal assets at stake, the protection it offers can be substantial.


It is critical to note that asset protection structures do not eliminate your compliance obligations. A gym operating under a company plus trust structure still needs to comply fully with the Privacy Act, still needs MFA and a compliant privacy policy, and still needs cyber insurance. The structure reduces the worst-case scenario of personal loss — it does not remove the responsibility to prevent the breach in the first place.

Management Liability Insurance: The Complement to Good Structure

Even the strongest business structure does not provide complete personal protection for directors. Management liability insurance fills the gaps that corporate structure cannot. It is designed specifically to protect directors and officers from personal financial loss arising from claims made against them in their capacity as business leaders.


For a gym or martial arts club operating as a Pty Ltd, management liability coverage protects the personal assets of directors if they are individually sued as a result of a privacy or cyber incident — for example, if a member launches a Statutory Tort claim naming the directors personally, or if ASIC pursues the directors for governance failures related to a data breach.


Management liability should be considered alongside, not instead of, standalone cyber insurance. They address different dimensions of the risk. Cyber insurance covers the incident response, regulatory defence, and member notification costs. Management liability covers the personal financial exposure of the people who run the business.

A Practical Assessment for Club Owners

If you are currently operating as a sole trader or in a simple partnership and you hold health data on your members, the time to review your business structure is now — before an incident occurs, not after. The cost of restructuring is a fraction of the cost of defending a Federal Court action with your personal assets on the line.

Ask yourself these questions:

•What structure is my business currently operating under?

•Do I hold health information about my members, even in basic intake forms?

•Do I have MFA enabled and a compliant privacy policy in place?

•Do I have standalone cyber insurance that covers regulatory defence and member claims?

•Do I have management liability insurance to protect my personal assets if I am named personally in a claim?

•Has my accountant or solicitor reviewed my structure in light of the 2026 Privacy Act changes?

We Help You See the Full Picture

Insurance does not replace the right business structure, and business structure does not replace insurance. Together, they form the layered defence that genuinely protects everything you have built.


At MAA Insurance Services, we help gym owners, club directors, and fitness studio operators understand the full risk landscape they are operating in. We can arrange the cyber and management liability coverage that protects your business and your personal assets, and we work alongside your accountant and solicitor to ensure all parts of the protection strategy are pointing in the same direction.


Speak to our team today to review your current coverage and identify any gaps before they become expensive problems.

By Graham Slater July 2, 2026
The Operational Foundation That Makes Your Insurance Work
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enfor
By Graham Slater July 1, 2026
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enforcement works and how to protect your business.
Most Australian gyms and martial arts clubs are classified as health service providers under the Pri
By Graham Slater June 29, 2026
Most Australian gyms and martial arts clubs are classified as health service providers under the Privacy Act. Understand what this means for your data obligations and insurance needs.