As a small business owner, I’m sure you’ve heard the rumblings about the upcoming changes to the Privacy Act. Understandably, the thought of another layer of regulation might feel a bit overwhelming. But let’s face it: this new draft bill isn’t just another piece of red tape. It’s a significant overhaul aimed at protecting personal information, and it’s something we all need to take seriously. Peta Sweeney, Advocacy and Content Manager RIMPA Global dives into what this means for small businesses and how we can get ahead of the curve.

What is the Privacy Act?

In a nutshell, the new draft Privacy Act is set to replace the outdated regulations we’ve been working with since 1988. Yes, you read that right—1988! The world has changed a lot since then, especially in terms of technology and data. The government is pushing for reforms to ensure that all organisations, regardless of size or sector, handle personal information responsibly.

How the reforms impacts small businesses

With the potential removal of the small business exemption, it’s important to consider the implications, even though the change is not yet confirmed. A small business is currently defined as one with an annual turnover of $3 million or less. While we don’t have a definitive timeline for when this exemption might be scrapped, it’s crucial for small businesses to prepare for the possibility.

If the exemption is eliminated, it could mean that all businesses, regardless of size, would need to comply with the same regulations. Currently, smaller businesses benefit from more leniency, but this could change. The new Privacy Act proposes severe penalties for privacy breaches. According to Corrs, these penalties could reach up to $50 million, three times the value of benefits obtained from the breach, or 30% of the company’s adjusted turnover during the breach period—whichever is highest. Additionally, businesses and government entities might be required to disclose ransom payments made to hackers, with potential fines up to $15,000 for non-disclosure. These provisions are still part of the proposed bill and could change before final approval.

It’s worth noting that while this seems like a one-size-fits-all approach, the government often implements a sliding scale based on size, sector, or other designations. Therefore, it’s possible that such considerations will be taken into account. However, without confirmation, it’s advisable for small businesses to be prepared for this potential scenario.

What can small businesses do?

We understand that for small businesses, the prospect of new regulations can be overwhelming, especially when resources are tight. With the draft bill expected soon and rumoured to give small businesses just a year to get their data and information up to regulation, here are some free tools and steps to help you prepare:

1. Start with a Privacy Checklist:
   • Privacy Checklist for Small Businesses: This checklist from the OAIC is a great starting point to understand what steps you need to take. You can find it here.
2. Conduct a Privacy Impact Assessment (PIA):
   • eLearning Course on Conducting a Privacy Impact Assessment: This course will guide you through understanding your risks and how to manage them. You can access it here.
3. Prepare a Data Breach Response Plan:
   • It’s crucial to have a plan in place to act quickly in the event of a data breach. Being prepared can make a significant difference. Check out the OAIC’s guide.
   • Responding to Data Breaches – Four Key Steps: This guide details what to do and who to contact if a breach occurs. Having this information in advance will help you manage any incidents more effectively. Access it here.
4. Strengthen Your Data Security Measures:
   • Cybersecurity is a Critical Business Issue: The new Privacy Act will require robust security measures for all types of personal data—whether it’s from customers, employees, or third-party providers. It’s important to understand that while third-party providers (TPPs) may host or process your data, the responsibility for protecting it remains with your business.
   • Review and Monitor Third-Party Providers: Ensure you have a clear understanding of what data your third-party providers handle and establish contractual obligations for data breaches. Regularly review their security measures and ask for information security certifications or standards they implement. Collaborate with them as part of your data breach response plan to report, respond, and recover effectively.
5. Invest in Cybersecurity Training:
   • Investing in cybersecurity training for your team is crucial. This training helps ensure that your staff understands the latest threats and best practices for safeguarding data.
   • There is also a growing emphasis on ensuring that directors of companies are cyber literate. They may need specific training to understand cybersecurity intricacies and lead their organisations effectively under the new regulatory framework.

Every Australian should be confident that their online interactions are secure and their privacy is upheld. At RIMPA we support businesses and industries taking proactive steps alongside regulatory measures to address rising cyber risks and privacy breaches. Data minimisation is crucial: businesses need to understand their responsibilities, retain only what’s necessary, and dispose of what isn’t. By managing data more effectively, businesses will be better equipped to handle privacy risks and adapt to upcoming regulatory changes.

Want more? Get our newsletter delivered straight to your inbox! Follow Kochie’s Business Builders on Facebook, Twitter, Instagram, and LinkedIn.