Create a free account, or log in

Opinion: Government’s sledgehammer approach to SME privacy reform needs a rethink

COSBOA CEO Luke Achterstraat explains why co-design with industry must be explored and with realistic timeframes when it comes to privacy law reforms.
Luke Achterstraat
Luke Achterstraat
COSBOA CEO Luke Achterstraat. privacy
COSBOA CEO Luke Achterstraat. Source: SmartCompany.

Dismay at the government’s decision to retain the small business exemption from privacy law hints towards naivety and only highlights the costly cumulative impact of poor policy processes.

Over 2.5 million small businesses were relieved to learn more was not being added to their compliance plate during the worst operating environment in a decade.

Small businesses are grappling with complex industrial relations changes, the undermining of international students, and an attack on suburban tax agents, just to name a few.

Add to this sticky inflation, rising energy and rent costs, and it is little wonder 51% of small businesses believe things would get worse before better.

Economic conditions alone are not a justification to oppose policy. Some 41% of small businesses continue to cite government red tape as a key impost to their ability to remain in operation.

Australia’s existing privacy laws should not be baulked at.

Earlier this year our privacy-tsar publicised its $21 trillion case against Medibank as a signal moment, warning it was a wake-up call for all Australian firms and more was to come. 

But invoking the bad actions of the few to foreshadow a blanket approach for the many resembled a sledgehammer to crack a nut.

More regulation is not the answer

The small business exemption exists because it is self-evident that a sole trader does not possess even a fraction of the internal compliance team employed by a large enterprise. 

Small businesses are not typically treasure troves of information with equity stakes in offshore data centres.

Notwithstanding, small businesses are already actively processing customer data and taking the appropriate steps to protect their staff and patrons.

An inherent component of running a small business is to sustain trust, particularly in regional communities where small businesses are the biggest sponsors of sporting and community groups.

Despite being the largest private sector employer in Australia, too often small businesses are still considered to be mere “candlestick makers”. 

Small firms are the innovators and engine room of the economy, bringing new ideas to market and driving much-needed competition. 

And yet despite economic headwinds, we are seeing more small businesses actively choose to inform themselves about the growing risk of cyber and the adjacent space of privacy. 

Our Cyber Wardens program – which provides practical upskilling to small businesses on cyber resilience – has found most small businesses know someone who has been hacked or breached and desire more information and capability. 

We need to ramp up skills, training and resources for our small businesses before casting them into the complex web of more regulation.

Two important questions about privacy policy in Australia 

Some have argued the small business exemption should be scrapped merely to bring Australia into line with our European counterparts.

The reality is the European Union has one of the strictest regimes in the world. Comparison with Europe reveals deeper-set issues.

In the EU, over 25 different member states have an agreed definition of small business. Meanwhile, there are at least 25 different definitions of small business across Commonwealth, state, and territory jurisdictions in Australia.

So perhaps there are some underlying problems to be addressed in Australia.

Indeed, the privacy discussion in Australia raises at least two important questions for policymakers.

Firstly, what problem is trying to be solved and by who?

More regulation is often the assumed answer when greater awareness for time-poor small business owners is a more logical step in a parliament congested by legislation.

The scope for more co-design with industry must be explored and with realistic timeframes as we grapple with complex challenges.

In other words, the government must not ‘go it alone’ on regulation but rather better engage industry and practitioners to scope then solve the problem.

Secondly, what impact analyses have been conducted to inform the Cabinet? Are they transparent and do they include genuine distributional analysis?

In fact, a cost-benefit analysis of the privacy changes was commissioned by the government and yet curiously, the report remains buried despite repeated calls for its release.

The privacy commissioner has indicated a desire to see beyond ‘the tip of the iceberg’.

The release of government modelling would bring to light case studies such as mechanics, beauty therapists, and butchers that sacrificed their time to participate in the review.

Small business a key player in privacy debate

Small businesses are highly active in conversations about cyber, privacy and the digital landscape.

Most of Australia’s leading cyber and privacy providers started as small businesses.

Small business welcomes genuine analysis with a risk-based approach.

Privacy should not be a dirty word, but neither should be words like process, planning, preparedness, and prudence.

The right decision has been made to retain the small business exemption in our privacy legislation.

It is now time to promote collaborative training and awareness to support our small businesses in navigating the challenges ahead.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on LinkedIn.