Understanding the new privacy laws: Not business as usual

On March 12 a set of new privacy laws come into effect that will have implications for SME business owners. Here, Jodie Sangster, CEO of the ADMA, explains how to ensure your business is ready for them.

Last year I spent several weeks travelling around Australia talking to business owners and marketers about the new privacy laws coming in March 2014 and how to get ready for them. I found that some business operators didn’t think the new Privacy Amendment Act affects them and that’s concerning. The laws now apply to any businesses with an annual turnover of more than $3 million and those who collect personal information.

Businesses not on top of their customer privacy obligations could reap fines of $340,000 for individuals and up to $1.7 million for companies breaching the new laws. In addition, Privacy Commissioner Timothy Pilgrim has enhanced powers to proactively investigate companies to determine if they are handling personal information according to the new rules and issue financial penalties if they are not.

Australians want their privacy protected
In the Privacy Commissioner’s 2013 survey of community attitudes towards privacy, Pilgrim noted Australians are becoming more concerned about privacy risks and they expect companies to effectively safeguard their personal information. 96 per cent of respondents said they should be informed of how their information is handled and protected, and if it is lost.

Privacy is an issue that all businesses must now take seriously, not only for the financial consequences, but the serious reputational damage that a breach can cause a company. So what are the changes you need to know? For starters, there will be a new set of 13 Australian Privacy Principles (APPs) that outlines how business operators must handle personal information of customers. The changes affect how a business can: 

  • Collect personal information from customers and prospects.
  • Handle and process the personal information of their customers.
  • Use personal information for marketing purposes.
  • Disclose personal information overseas.


Communicating with customers will become more complex. Under the new law, there is a requirement to allow your customers to opt out of your marketing communications. This is not business as usual because in many instances, the opt out needs to appear in every marketing communication regardless of the channel. That’s every piece of mail, telephone call, email and social media post.


The new privacy laws take effect on March 12. Here’s what you should be doing now:


  • Audit your data collection and handling practices. Know why you’re collecting customer information, where you’re collecting it and what you’re collecting. Think: what personal information do I really need from my customers?
  • Develop a privacy policy (it’s now compulsory under the new laws). The policy must include information about how an individual may complain about a privacy breach and how you will deal with it. Ensure you have systems in place to show customers any information you have about them if they ask about it.
  • Familiarise yourself with ‘notification’ requirements and ensure you have processes in place to comply.
  • Re-evaluate your IT security to ensure you have measures in place to prevent privacy breaches. How you store, manage and secure your data is going to be trickier to manage and if you use cloud storage services, there’s a whole new set of requirements to follow. This is really important for small businesses, which are often stretched financially on the IT front. Ensure you set up your systems properly from the start and teach your staff about the new security requirements.
  • Designate one of your team to be a privacy officer who staff can go to when they have questions about your privacy policy and who can answer consumer enquiries about the policy. All staff need to be aware of the laws and your company’s privacy obligations.


  • APP 8 requires a greater level of accountability from business when personal information is being transferred overseas to other parties. They need to comply with Australian standards. If there’s a breach, you could be liable for it.


Above all, transparency is the foundation on which Australian businesses will build stronger future relationships with consumers. Ensure you’re a trusted data custodian.


If you are still not sure whether the Privacy Act applies to your business, get advice from your lawyer.

Jodie Sangster is Chief Executive Officer of the Association of Data-Driven Marketing & Advertising.

Like My Business on Facebook now to get involved in the SME community discussion. Follow @mybusinessau on Twitter for breaking stories throughout the day.


promoted stories