The state of small business privacy in Australia

We get it. We really do. When starting or successfully running a small business, you need to prioritise the most critical business functions. You focus on a website because you need a storefront. You focus on product because you need something to sell. You focus on invoicing because you need to get paid. You focus on customer support because a happy customer pays your bills.

But in 2021, there is another important business function that small business owners must start considering. Privacy.

The Exemption

In Australia, there is more than 400,000 small businesses that are not covered by the Australian Privacy Act. In short, when talking about privacy, a small business is one with an annual turnover of $3 million or less. Annual turnover for the purposes of the Australian Privacy Act includes all income from all sources. It does not include assets held, capital gains or proceeds of capital sales.

That means that unless your business undertakes one of the activities listed below, you may not have any privacy obligations in Australia.

This may sound like a good thing. Not being required by law to comply with the Australian Privacy Act is, on the surface, a great way to reduce the burden of privacy compliance placed upon SMB owners.

But here is where it gets tricky. Your customers want privacy. In the 2020 Australian Community Attitudes to Privacy Survey (ACAPS) run by the Office of the Australian Information Commissioner (OAIC), 71% of Australians said they believed that small businesses should not be exempt from the Australian Privacy Act.

The cold hard truth is that a data breach is a data breach. Your customers do not care that you are a small business. They expect you to operate inline with best practice and the law.

The Privacy Act Review

The Australian Privacy Act is currently in review, and one of the items on the list for proposed changes is the small business exemption. If this proposed change is passed into law, all small businesses may become bound by the Australian Privacy Act. This would be a huge change for many businesses that are underprepared, and a costly change at that.

Further, many businesses are growing past the $3 million threshold and have no existing privacy governance in place. Their systems, processes and products have been designed with privacy exemptions in mind, and when the time comes to comply with the Australian Privacy Act, they are forced to engage consultants and legal teams to review all aspects of their business. This is not only costly in financial terms, but also in time.

Worse still, some businesses are defaulting to purchasing privacy policy templates online that do not adequately describe their operations. This leaves them at risk of severe legal ramifications if caught by Australia’s privacy regulator (OAIC). It also leaves them at risk of breaching their customer’s privacy and trust, something that can result in the closure of some businesses.

While exempt from the Australian Privacy Act, small businesses are not exempt from privacy risks. The average cost of a data breach in Australia was $146 in 2020. Per record. Think about how many customers you have. Now times that by $146. Is that a cost you can afford?

The Problem

When we speak to business owners, the most common feedback we receive is that privacy is confusing and expensive to manage. This mindset is fuelling the problem. Set aside your legal obligations for a moment and put yourself in your customer’s shoes. If your credit card, drivers license and email address was breached, would you be less frustrated if the company that breached it was a small business?

On top of that, the above rationale is simply not true. The Cisco Data Privacy Benchmark Study 2020 showed that investment in privacy in Australia delivered a 2.1x ROI. That means for every $1 you invest in protecting your customer’s personal information, you return $2.10.

The Solution

Taking all the above into account, we created Openly For Business. Our platform is designed to simply self-management of privacy for small business owners. Through our simple privacy modules, we give you everything you need to voluntarily become compliant with the Australian Privacy Act.

By completing our short program, you can tell your customers that you really care about their privacy.

And if you needed one more reason to consider improving your privacy governance, the ACAPS revealed that 88% of Australians have chosen not to deal with a business because of privacy concerns. Imagine your business growth if you can secure those customers.


2020 Australian Community Attitudes to Privacy Survey

2020 Cisco Data Privacy Benchmark Study

CSO Online Cost of a Data Breach

Regardless of annual turnover, you will still be bound by the Australian Privacy Act if you are one of the following:

  • a health service provider
  • trading in personal information
  • a contractor that provides services under a Commonwealth contract
  • an operator of a residential tenancy database
  • a credit reporting body
  • a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • a business that conducts protection action ballots
  • a business accredited under the Consumer Data Right system
  • related to a business the Privacy Act covers
  • a business prescribed by the Privacy Regulation 2013
  • a business that has opted in to be covered by the Privacy Act

A note about liability:

This advice is general in nature and does not take into account your objectives, your situation or your needs. You should consider whether the advice is suitable for you and your circumstances. Where relevant, you should consider seeking professional legal advice. While we always work to ensure the advice provided is accurate and relevant, Openly Australia accepts no liability for issues arising from use of this advice.

Super Simple Privacy Compliance For Your Business.

We give you the tools, support and resources required to ensure your business is privacy compliant. Getting started costs you nothing, and you don't need to be a privacy expert to understand what we're talking about.