Table of contents
With sweeping changes to the Privacy Act soon to come into effect for Australian businesses, small-to-medium enterprises (SMEs) will face increased scrutiny from regulators over how compliant they are in dealing with customer data. Failure to comply will lead to not only financial penalties but also reputational damage.
Slashing the small business exemption
The biggest change to the Privacy Act (anticipated in 2024) is the removal of the small business exemption. Currently, most businesses with a turnover of under $3m, which includes approximately 92 percent of businesses in Australia, are exempt from compliance with the Privacy Act. However, with the small business exemption removed, a turnover threshold will likely no longer apply to any business, meaning that SMEs will no longer be exempt from the Privacy Act legislation.
The Government Response released in 2023 foreshadows that a phase-out period will apply, but proactive small businesses are taking steps now to ensure their privacy practices are aligned with industry expectations. The Government Response also considers that compliance requirements will be tailored to a company’s privacy risk profile. The main targets will be small businesses that rely heavily on technology and collect large amounts of customer data, including sensitive information.
Be on the front foot
The reality is that in 2024, there is not a single business that does not work with or store customer data in some way. As daunting as it might seem, taking a proactive approach to embracing these changes is the best way to manage potential risks – an ounce of prevention is worth a pound of cure.
Rather than viewing these changes as a challenge to their processes, taking a proactive approach gives SMEs a chance to get on the front foot by protecting customers’ data and interests. It is an opportunity, rather than a risk, to build trust with their customers and establish long-term growth. SMEs have a responsibility to their customers to learn about essential privacy protections and take a more mindful approach to storing sensitive customer information.
Seeking expert advice
For many small business owners, building a compliant privacy program can be a daunting task. That’s why engaging with privacy experts early on to craft a tailored privacy program is critical.
A privacy program is a series of internal policies, procedures and frameworks that ensures a business is compliant with privacy laws. With the right support, businesses can implement effective processes to reduce concerns around looming risk from data and privacy regulations, and increase privacy protections in line with existing business objectives and endeavours.
Large or small, having a fit-for-purpose privacy program ensures that businesses are aware of the gaps in compliance and have a plan in place for how to address those gaps.
Learning from examples abroad
For most SMEs, a privacy program will be limited to the laws of one jurisdiction, however, those that have multinational operations are increasingly challenged by multijurisdictional compliance demands that require more comprehensive data privacy plans.
While Australia’s privacy laws are undergoing a revamp, businesses that also operate overseas can provide a great example for small businesses aiming to comply with stricter legislation.
Our privacy law professionals are well-versed in the best-practice initiatives employed by businesses operating in countries with stricter data privacy laws, and can offer tailored guidance to ensure data privacy compliance across all areas of operation.
As Australian small businesses seek to adapt their cybersecurity and data handling practices to keep up with policy changes, it’s essential that entrepreneurs adopt a privacy program that reflects global best practices to protect consumer data.
Tailoring the approach
Burch&Co crafts ‘just right’ legal solutions for our clients, big and small alike, based on a detailed consultation to determine their needs. From our Corporate team to our Startup team, we aim to think holistically about a client’s business and how we can add
value, rather than just adding our two cents of legal opinion.
We take the time in our initial consultations to establish our understanding of the people and businesses that we’re working with, getting to know our clients’ objectives, needs and priorities. This enables us to support our clients’ goals with tailored, adaptable strategies that are directly applicable to their current situation and future growth.
Authors: Hana Lee – Associate, Leader of the Startup & Capital team