Data Privacy Week (late January each year) is one of the few security/privacy awareness events that lends itself to practical, achievable activity rather than abstract recognition. The annual prompt is useful precisely because the work it surfaces is unglamorous and easy to defer:
Refresh the data-retention review. Re-audit who has access to sensitive shared drives. Validate that the privacy policy still describes what the business actually does. Update the data-breach response plan. Check that subject-access-request handling has a documented owner. Refresh the data-processing register if there is one.
None of this is large. All of it accumulates risk when neglected. The advantage of pinning it to Data Privacy Week is that it gets done annually instead of when something forces it. For SMBs becoming Privacy-Act-regulated for the first time in 2026, the discipline of an annual privacy housekeeping cycle is one of the easiest improvements available.