Create a free account, or log in

Changes to the Privacy Act are coming. Here’s what SMEs need to know

With sweeping changes to the Privacy Act soon to come into effect for Australian businesses, SMEs will face increased scrutiny from regulators over how compliant they are in dealing with customer data.
Hana Lee
Hana Lee
privacy act
Hana Lee. Source: SmartCompany.

With sweeping changes to the Privacy Act soon to come into effect for Australian businesses, small-to-medium enterprises (SMEs) will face increased scrutiny from regulators over how compliant they are in dealing with customer data. Failure to comply will lead to not only financial penalties but also reputational damage.

Slashing the small business exemption

The biggest change to the Privacy Act (anticipated in 2024) is the removal of the small business exemption. 

Currently, most businesses with a turnover of under $3 million – which includes approximately 92% of businesses in Australia – are exempt from compliance with the Privacy Act. However, with the small business exemption removed, a turnover threshold will likely no longer apply to any business, meaning that SMEs will no longer be exempt from the Privacy Act legislation.

The government’s response, released in 2023, foreshadows that a phase-out period will apply, but proactive small businesses are taking steps now to ensure their privacy practices are aligned with industry expectations. 

The government response also indicates that compliance requirements will be tailored to a company’s privacy risk profile. The main targets will be small businesses that rely heavily on technology and collect large amounts of customer data, including sensitive information.

Be on the front foot

The reality is that in 2024, there is not a single business that does not work with or store customer data in some way. As daunting as it might seem, taking a proactive approach to embracing these changes is the best way to manage potential risks – an ounce of prevention is worth a pound of cure.

Rather than viewing these changes as a challenge to their processes, taking a proactive approach gives SMEs a chance to get on the front foot by protecting customers’ data and interests. It is an opportunity, rather than a risk, to build trust with their customers and establish long-term growth. SMEs have a responsibility to their customers to learn about essential privacy protections and take a more mindful approach to storing sensitive customer information.

Seeking expert advice

For many small business owners, building a compliant privacy program can be daunting. That’s why engaging with privacy experts early on to craft a tailored privacy program is critical.

A privacy program is a series of internal policies, procedures and frameworks that ensure a business is compliant with privacy laws. With the right support, businesses can implement effective processes to reduce concerns around looming risks from data and privacy regulations, and increase privacy protections in line with existing business objectives and endeavours.

Large or small, having a fit-for-purpose privacy program ensures that businesses are aware of the gaps in compliance and have a plan in place for how to address those gaps.

Learning from examples abroad

For most SMEs, a privacy program will be limited to the laws of one jurisdiction, however, those that have multinational operations are increasingly challenged by multijurisdictional compliance demands that require more comprehensive data privacy plans.

While Australia’s privacy laws are undergoing a revamp, businesses that also operate overseas can provide a great example for small businesses aiming to comply with stricter legislation.

As Australian small businesses seek to adapt their cybersecurity and data handling practices to keep up with policy changes, it’s essential that entrepreneurs adopt a privacy program that reflects global best practices to protect consumer data.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on LinkedIn.