Privacy Act Changes for Small Business Exposed

Exemptions to the Privacy Act for small businesses are ending, with significant implications for data management that you need to be across.

Doctor Digital Says


In recent times, the digital landscape has witnessed significant changes in data privacy regulations. One crucial shift that has significant implications for small businesses is the foreshadowed end of Privacy Act exemptions for small businesses, based on a raft of recommendations by the Commonwealth government in response to a major review of the act. As a small business owner, understanding the implications of this change is vital.

Small businesses with an annual turnover of $3 million or less are currently exempt from the Privacy Act, and many of the penalties leveled against bigger businesses when they mishandle sensitive data. The government believes small businesses are now capable of handling sensitive data at a scale previously achieved by bigger businesses.

This means even the smallest enterprises are capable of harming customers, clients, and employees by misusing or exposing their personal information. At the time the Privacy Act was extended to the private sector, it was considered that most small businesses posed a low risk to privacy and that compliance costs would disproportionately and unreasonably burden small businesses.

This has now changed with the Commonwealth Government acknowledging that the community expects that if they provide their personal information to a small business it will be kept safe and not used in harmful ways.

Given how much data many small businesses now hold about their clients, being proactive on data management and what is really necessary for your business to request is important. However, not every small business faces the same data risk profile.

Recognising that early-stage startups may already collect vast tracts of user data, the government says some small businesses will face coverage under the Privacy Act sooner than others.

This includes small businesses and startups that collect and use biometric data, like those involved with facial recognition technology. Businesses that actively trade in personal information will also face Privacy Act coverage sooner than low-risk enterprises

In this blog post, we explore some of the major ways your business could be affected and actions to take to effectively manage personal data from their clients.

Increased Compliance Requirements:

With the end of Privacy Act exemptions, small businesses will need to comply with data protection regulations, which may involve additional administrative work and costs. Organisational accountability is key to managing privacy and data with clear lines of responsibility.

One significant recommendation by Government is that businesses should nominate a senior employee as having specific responsibility for privacy within the organisation.

While medium and large businesses with a dedicated technical team may already have de facto data safety officers in place, the requirement could see small business operators take on another responsibility and need to ensure that the person responsible is adequately skilled and supported to do so.

Action: Invest in employee training and consider hiring a data protection officer or consultant to navigate compliance effectively.

Data Collection and Storage Limitations:

Small businesses may face restrictions on the collection and storage of personal data. This can affect marketing strategies and customer relationship management. Collecting and using data are both major concerns, but so too is the long-term storage of that information, even after it is no longer needed by a business.

Hoarding data can result in a high-risk situation where bad actors target major stores of information. To reduce those risks, the Commonwealth government is considering rules that would force businesses to set minimum and maximum data retention periods.

Those rules will need to be simply and transparently expressed to users and customers in accessible privacy policies. It is suggested that the Office of the Australian Information Commissioner should provide additional guidance on how to safely and effectively destroy or de-identify sensitive information.

Action: Review your data collection practices to ensure they align with regulatory requirements and seek explicit consent for data usage.

Consent Management:

Obtaining explicit consent for data usage and maintaining records of consent will become more critical. Failure to do so could result in penalties. Set-and-forget consent notices must be improved in order to give users a clearer understanding of how their data is actually being used. An over-reliance on consent places an unrealistic expectation on individuals understanding the risks of information-handling practices.

Action: Implement robust consent management processes for high-risk privacy situations and maintain accurate records of consent from customers using accessible language.

Data Breach Reporting:

In the post-exemption era, small businesses must promptly report data breaches. Failure to do so may result in severe consequences. Businesses should quickly and clearly alert their customers, employees, and regulators in the event of a data breach, the report says.

The government says organisations covered by the Privacy Act should be required to:

  • Alert the Information Commissioner within 72 hours if an eligible data breach takes place;
  • Notify affected individuals as soon as practicable, including the phased release of information if the situation is not immediately clear; and
  • Take “reasonable steps” to have systems, procedures, and operating practices in place in response to a data breach.

Action: Develop a data breach response plan to detect, report, and mitigate breaches efficiently.

Data Access Requests:

Clients can request access to their personal data. Small businesses must respond to these requests within stipulated timeframes. Refreshed privacy rules could also give greater transparency and control to individuals through the creation of new user rights.

If enacted, small businesses would need to provide in-depth information to users and stakeholders about how their data is being used, if they are asked.

Some measures under consideration include reinforced rights to:

  • Request an explanation of how user information is being held, and what is being done with it, through an “enhanced” right-to-access process;
  • Contest the information handling practices of a business;
  • Require an entity covered by the Privacy Act to explain how they are complying with it;
  • Request the deletion or de-identification of sensitive data;
  • Request corrections in online publications and databases; and
  • Force search engines to “de-index” some results, making it simpler for individuals to contest the way internet giants highlight content related to the individual.

Action: Develop processes to handle data access requests promptly and efficiently.

The end of the Privacy Act exemptions signifies a fundamental shift in how small businesses manage personal data and the consequences of low or no compliance and proactive management strategies, resulting in hefty fines that could devastate small businesses and damage brand and reputation. Privacy mishaps can erode customer trust and damage your reputation. Clients may be hesitant to share their data if they doubt your commitment to privacy and your capacity to be known as a safe place for data will become a brand advantage in the marketplace. Transparently and proactively help your clients and customers to understand their rights and your commitment to data privacy and the implementation of transparent data handling practices.

As data security becomes paramount, small businesses may need to invest in robust cybersecurity measures to protect customer data and budget to allocate resources for cybersecurity tools and training to safeguard customer information effectively. If your small business relies on third-party vendors for various services, this can increase the risk of data exposure so it is important that you are confident about the vendors' data protection practices and consider contracts that include data protection clauses.

The good news is the government says it won’t throw small businesses into new Privacy Act compliance measures without giving them time and support to adjust. Further consultation will be undertaken with peak bodies and small businesses to examine the gaps between small businesses and compliance with the Privacy Act, and begin the creation of educational materials designed to help businesses to adapt to the changes.

While understanding these changes may seem daunting, proactive measures as suggested above can help small businesses adapt and thrive in this new regulatory environment. By getting on the front foot investing in compliance, data security, and transparent data handling practices, small businesses can continue to build trust with their clients and maintain a strong reputation for safety and privacy.

Screen Shot 2023-05-22 at 10.22.52 am.png

Share this page