Shopping Cart


No products in the cart.


We're Building the World's BIGGEST Online Community for Small Businesses

Small businesses getting serious on data privacy 


As digital transformations surge, businesses tap into the artificial intelligence (AI) craze, and more data is shared between consumers, businesses, and third parties online, privacy threats rise to new heights.

The issue has become one of the defining focuses for businesses today. To feel the full benefit of data, we must safeguard it.

After a procession of high profile privacy breaches that saw the data of tens of millions of Australians compromised in recent years, the Government is on the front foot. Policymakers are in the process of extending the jurisdiction of The Privacy Act 1988, to cover millions of small and medium businesses. Previously, only businesses with an annual turnover in excess of AUD$3million had to comply, but now that exemption is being removed. Small businesses will now be liable for steep fines and levies for non-compliance.

Any policy, technology, or program that protects data plays an important role. However, Zoho research found that Australian SMBs remain unprepared. A few questions leap to mind: What is in the regulation? What did our research find? And, how can small businesses prepare? 

What is The Privacy Act 1988?

The Privacy Act 1988 is the law that regulates the handling of personal information by Australian businesses and government agencies. It oversees the collection, storage, use, and disclosure of personal information, with the guiding aim of protecting individuals’ privacy rights. The Act applies to most private sector businesses with an annual turnover of more than $3 million, as well as certain smaller businesses, health service providers, and other select entities. 

However, last year, a review by the Attorney General proposed that exemptions for businesses with an annual turnover of less than $3 million – essentially, millions of SMBs – should be removed. It comes as the severity and regularity of privacy breaches increases at an alarming rate. The Australian Cyber Security Centre (ACSC) received over 94,000 cyber crime reports in the 2022-23 financial year. This represents one report every six minutes, with millions of Australians impacted. 

Small businesses unprepared

Privacy breaches are indiscriminate; they target and attack any businesses with vulnerabilities, irrespective of their size. While the news is dominated by breaches to big businesses, small businesses are far from immune – which is why the legislation is being extended. What is of great concern, though, is how few small businesses understand the legislation and their obligations.

According to Zoho research, only 51.8% believe that their business understands its requirements in accordance with The Privacy Act 1988. That means well over one million small businesses. Fewer than half (46.2%) claim to know exactly what to do if they fell victim to a privacy breach while just 44.6% have a well-defined, documented and applied customer privacy policy. What’s more, 25% of local small businesses would fail to survive the financial or reputational damage of a privacy breach.

While no business can eliminate the potential of a data breach, they can proactively reduce the risk and the potential damage done if they are affected.

Building proactive safeguards

Our research found that 59.4% of SMBs acknowledge their vulnerability to data breaches, yet they are not taking enough action to strengthen their data security. Overcoming this paralysis is paramount. Small businesses should create a clear, defined and documented data privacy policy that is communicated with their customers and followed by their staff. The mere existence of such a policy helps to encourage best practice – which in itself reduces the risk of a breach – and helps them understand the steps to take if they do fall victim.

Small businesses should also do their due diligence when selecting technology providers; prioritising those who take data privacy and transparency seriously. Small businesses should take the time to understand the policies of the technology providers they use, and what those vendors do with data.  Zoho has a strict customer privacy first policy and don’t have an ad-revenue model in any aspect of our business. Meanwhile, our Ulaa browser, with a privacy-first approach, aims to offer a safe browsing experience by incorporating ad blockers, end-to-end encryption, and features that safeguard data privacy.

Small businesses can – and should – deploy tactics and safeguards in their everyday operations. For example, implementing robust encryption measures ensures sensitive information remains secure. Employees should undergo regular training sessions to encourage best practice and reduce the risk of human error. Multi-factor authentication – for example, when logging on to important systems – adds an extra layer of security, while regularly updating software and conducting thorough security audits reduces risk further. 

Finally, small businesses should speak to their accountant, business advisor or legal advisor to understand The Privacy Act 1988, and how, and if, they must comply.

Responding to a breach

Unfortunately, eliminating the risk of a breach 100% is simply not possible. Knowing what to do in the event of a breach, though, is possible. Almost 350,000 small businesses claim to have no knowledge on what to do if they were the victim of a breach. If a small business is breached, swift action is essential. First, they should attempt to contain the breach. Affected individuals should be notified promptly, with clear and transparent communication, while the incident must also be reported to the Office of the Australian Information Commissioner (OAIC). 

Once those immediate steps have been carried out, small businesses should investigate the breach thoroughly, identifying vulnerabilities and introducing any relevant security enhancements. Then, by reviewing and updating their privacy policies and procedures, small businesses will be better placed to reduce the risk of future breaches. 

Small businesses cannot be expected to become privacy and cyber security experts themselves, though. The technology industry must make data privacy a priority and policymakers must incentivise action and provide the right education and awareness so small businesses can implement measures to protect themselves and their customers. Otherwise, with risks increasing every day, regulation becoming more stringent, and penalties more severe, SMBs will be unfairly and disproportionately impacted. 

Keep up to date with our stories on LinkedInTwitterFacebook and Instagram.


Leave a Reply