Receive the latest mybusiness news
Copyright © 2020 MOMENTUMMEDIA

1 in 4 Aussie SMEs don’t have a data privacy policy

James Mitchell
13 October 2021 3 minute readShare
data privacy policy

The vast majority of Australia’s 2.4 million small businesses are desperately unprepared for sweeping reforms to the Commonwealth Privacy Act, according to new research by global technology platform Zoho.

The report, released this week, found that just one-third of small businesses currently have a defined and documented data privacy policy.

Ahead of large-scale parliamentary changes that will see many businesses face increased fines and penalties for breaches, the report found that only 35% of small businesses surveyed have a defined, documented and enforced policy regarding personal data collected, used and disclosed through their business.

Presently, only businesses with a turnover of more than $3million, and select other organisations, must be compliant. However, all businesses as a matter of best practice have a duty to protect their businesses and the data of those using it. Those that don’t could be more susceptible to breaches, which are increasing in both regularity and severity.

According to Zoho’s research, one in four (27%) businesses either don’t have a data privacy policy or don’t know if they do. The remaining 38% of businesses have an informal policy, an unenforced policy or have not read their policy.

“Data privacy is one of the defining issues for the business community today. Unfortunately, confusion and uncertainty reign supreme among Australia’s small businesses,” said Vijay Sundaram, chief strategy officer at Zoho.

“Many of those who must be compliant with proposed regulatory changes are desperately unprepared, while the vast majority — whether the Privacy Act applies to them or not — are very vulnerable to a breach that could have significant consequences.”

Mr Sundaram said it is easy for small businesses to overlook their responsibilities when it comes to data privacy, but the threat and the potential cost is real.

He said: “Small businesses cannot be expected to become privacy and cyber-security experts, so the technology industry and policymakers must make awareness, education and action among these businesses a top priority. Otherwise, with regulation becoming more stringent, penalties more severe and attacks more prevalent and damaging, small businesses will be unfairly and disproportionately impacted. For them, a breach could be catastrophic.”

Third-party “cookies” have in many ways come to define the debate around data privacy. However, many small businesses are unaware and ambivalent about their use. One in three (33%) are entirely unaware that tracking occurs via cookies in their business in the first place, and a further 32% are aware that it happens but do not communicate it to their customers.

Slightly fewer than half (43%) are either uncomfortable or very uncomfortable with their customers’ data being used by companies they had no direct relationship with, 32% were ambivalent while 25% are either comfortable or very comfortable with their customers’ data being accessed.

“Australia is a nation of entrepreneurs, and while running a small business should be celebrated and encouraged, there are critical data requirements,” Mr Sundaram continued. “Operating a business — no matter the industry — in a COVID-normal world will be dependent on collecting more data — for health and safety measures and as a competitive advantage — than ever before. The reforms are designed to protect, but they must allow adequate time to, first, educate small businesses about their requirements and then ensure that they’re compliant.”

Almost half (44%) of the businesses allow tracking on their website to share content on social media sites — some of which have been involved in well-documented privacy breaches. Almost a quarter (21%) use third parties to track advertising activity. Google (30%) and Facebook (25%) are the dominant platforms, garnering over half of all small business advertising activity.

Support needed for education, retail

According to the Office of the Australian Information Commissioner (OAIC), the three most common industries to experience and report a data breach are financial services, healthcare and education. While almost half of financial services and healthcare bodies have strong policies and practices, only 22% of educational institutions have a defined, documented and enforced data privacy policy.

Few industries have changed more drastically in the wake of the pandemic than education, with millions of students participating in remote education. Not only do the majority of education providers not have a defined, documented and enforced policy, but they are also three times more likely to say technology vendors had done a bad or unsatisfactory job of explaining data tracking (39%) than those who had done a good job (14%).

With lockdowns closing high streets for prolonged periods, e-commerce sales have reached new heights over the last 18 months. Despite their reliance on online channels, fewer than one in three retailers (31%) have a defined, documented and enforced data privacy policy; a grave figure as the busy retail season approaches.

“The nature of our business means that we handle incredibly personal, private information. We’re required to obtain 100 points of identification — including a passport, driver’s licence, date of birth — from every client and store information in an incredibly discreet, circumspect and sensitive way. We have to demonstrate to the regulator that we can keep our client’s data safe, and a strictly enforced privacy policy that we communicate to our clients,” said Ray Trevisan, fund manager and director at OTG Capital.

“We use multi-factor authentication, secure blockchain signed documents, password protection and generator tools, so we’re comfortable that we have the systems in place to provide the safety and security that our clients deserve. However, hackers are becoming more aggressive and sophisticated, so we have to be smarter and more diligent in safeguarding our business. The safety of our clients and the reputation of our business depends on it.”

1 in 4 Aussie SMEs don’t have a data privacy policy
mybusiness logo
James Mitchell

Leave a Comment

Latest poll

How satisfied are you with the SME measures in the federal budget?