The Australian government has ushered in changes to the Privacy Act that will have a profound impact on the approximately 2.3 million small businesses operating across the country.
Previously, businesses with an annual turnover of $3 million or less were exempt from the Act, meaning they had no obligation to keep personal information secure or to notify affected people if there was a data breach.
Small businesses will now have to comply with a raft of obligations previously reserved for big businesses, including seeking informed consent, increased accountability for information handling, and rules around destroying data when it’s no longer needed.
This means every business needs to ensure their privacy policies are watertight. Here are three key ways the new rules could impact your business.
A need for government support in training
Many small businesses may lack the expertise and knowledge to navigate the complexities of the new privacy landscape. While the government is very clear on the rules themselves, it’s not quite so clear on how small businesses can adhere to these privacy principles – particularly for those businesses still in the process of digital transformation.
Small businesses need accessible resources, training, and best practices to ensure they understand and effectively implement the required changes without incurring excessive costs or risking non-compliance. Because if the likes of Optus, Medicare and Latitude can’t get it right then, how are small businesses going to know where to turn?
The government’s focus on enforcement should be complemented by robust education and advisory support. Similar to the ATO’s approach, there needs to be a proactive effort to educate and assist small businesses in implementing best practices.
Compliance costs could represent a serious challenge for businesses that need to invest in restructuring their processes, systems, and workforce to align with the new privacy obligations.
It’s not just about ticking a few boxes. Small businesses may need to allocate resources for training programs to make sure that employees understand and stick to the new privacy obligations.
Set aside time and resources to educate staff on the intricacies of the revised regulations, and work that into your plan – whether it’s the direct cost of training materials or the indirect costs associated with time spent away from regular duties.
Legal consequences and penalties
The removal of the exemption for small businesses means they are now subject to the same privacy obligations as larger enterprises. Failure to comply with the Privacy Act could lead to legal consequences and penalties, so it’s important to get on top of things as soon as possible.
Engaging legal professionals who specialise in privacy law is a great way to ensure that you’re interpreting and implementing the regulations accurately – this will, of course, incur costs. However, the cost of a short-term legal advisor may far outweigh the cost of fines and legal action should you encounter a security breach or are found to be contravening the regulations.
Although it might seem like an inconvenience, the revised rules are designed with a clear purpose: to strengthen privacy measures, particularly when it comes to how small businesses handle their customers’ personal information.
This can only be a good thing, and small businesses should use the changes as a chance to review and improve their processes as soon as possible. A focus on privacy is equally beneficial for your business’s bottom line and your customer’s security: in fact, the two can and should go hand in hand.