How will the new Australian privacy laws affect your small business?

Data breaches and cyberattacks are continuously on the rise. A new report states that the Office of the Australian Information Commissioner (OAIC) was notified of 527 data breaches from January to June 2024. This is the highest number of notifications since the July to December 2020 reporting period, showing an increase of 9% cent from the second half of 2023.

Responding to these alarming figures, the federal government recently introduced a new bill aimed at updating Australian privacy laws. The purpose of this new bill, known as the Privacy and Other Legislation Amendment Bill 2024, was to strengthen the country’s privacy laws and address increasing concerns around digital privacy and cyber risks.

But what are these new privacy law changes, and how will they affect small businesses?

What is the Privacy Act 1988?

The Privacy Act 1988 is the main legislation in Australia that governs the handling of personal data by organisations (whether private, government or not-for-profit). The Act sets out how personal information must be collected, used, stored and disclosed.

The Act has been updated a number of times over the years to reflect our changing society and the way we interact with technology. The new privacy reforms will be released in phases.

What are the Australian Privacy Principles?

While the Privacy Act is the primary legislation, the Australian Privacy Principles (APPs) make up the foundations of the Act itself. These 13 principles set the standard for how organisations need to handle and protect personal information and data. The APPs also act as a guide for individuals, helping the general public understand what their privacy rights are.

What Australian businesses will be affected by the Privacy Act?

Some of the businesses covered by the Privacy Act include:

• Any business that has an annual turnover of more than $3 million.
• Health service providers.
• Contractors that provide services under a Commonwealth contract.
• Any operator of a residential tenancy database.
• Any business that collects or discloses the personal information of individuals to a third party for a benefit, service or advantage. (A business is not trading in personal information if they collect or disclose personal information when they explicitly have the consent of the individuals or are required to collect the data by law).

For a full list of the different types of businesses covered by the Privacy Act, visit the OAIC website. You can also complete a short questionnaire online to confirm whether or not your business is covered by the Act.

However, even if your business is not covered by the Act, it’s best practice to always ensure that your cybersecurity precautions are up to date, and that you’re doing everything you can to protect client information and data.

How the new privacy laws could impact businesses

There are a number of updates to the Privacy Act that seek to protect individuals’ rights and privacy. It should be noted that these key changes are just some of the ways the updated privacy laws may impact your business.

The Children’s Online Privacy Code

The introduction of the Children’s Online Privacy Code (COP Code) is one of the most significant updates to the Privacy Act. This code will be developed by the OAIC. It could impact businesses that offer online or electronic services that are used by children.

Enhanced data security requirements

One of the key updates of the new laws is the introduction of stricter data security requirements. The update clarifies that reasonable steps must be taken to protect information businesses hold, which includes implementing measures at a technical and organisational level.

• Organisational: This could include training employees on data protection and cybersecurity issues and developing a new operating procedure for handling personal data.
• Technical: This may include ramping up the business’s cybersecurity, encrypting data and deleting all client data after a certain period of time.

The aim of having both organisational and technical safeguards in place is to reduce the risk of data misuse, unauthorised access and data breaches. Businesses must also have response protocols for data breaches, which includes notifying individuals and regulators as soon as possible.

These new security reforms bring Australian privacy laws more closely in line with Europe’s new data protection laws, the General Data Protection Regulation (GDPR).

Introduction of a statutory tort

First of all, what is a statutory tort? In legal terms, a tort is a wrongful act that results in injury to another’s person, property or reputation, and for which the injured party is entitled to seek compensation. In the context of the new privacy law updates, a statutory tort refers to a legal obligation or duty established by legislation (rather than common law) that allows individuals to seek compensation if their privacy rights are violated. The reason for implementing this is to allow individuals to take legal action against the entity responsible for any harm caused.

For example, let’s say you’re a small e-commerce business and you have not taken enough precautions to secure your customer data. Your customer database is hacked, and your customers’ payment information is exposed online. Affected individuals who have been impacted by your failure to secure their information could potentially use the statutory tort to seek compensation from you, which could include financial compensation and compensation for emotional distress.

This could also impact small businesses if you take and store customer data without your customers’ consent, as this would be seen as a breach of privacy – especially if this wrongfully held information was later stolen in a data breach and exposed online. This statutory tort can be used against individuals or businesses, which means it can be used against small businesses whether or not their annual turnover is less than $3 million.

Protecting your small business in the digital age

These new changes to the Privacy Act reflect the growing concern around data privacy and how personal information is handled securely and appropriately. With data breaches and cyberattacks on the rise, it’s more important than ever that businesses of all sizes take the necessary steps to protect the data they retain.

Your customers’ data is a valuable commodity

Many small businesses don’t realise that they’re at risk of a cyberattack until it’s too late. So while these new privacy laws exclude certain small businesses with an annual turnover of less than $3 million, this doesn’t mean that SMEs should be complacent about implementing stronger cybersecurity measures.

A few steps you can take to help improve your cybersecurity measures and help protect your customer data include:

• Upgrade your antivirus software and insure it’s up to date.
• Implement multi-factor authentication for sensitive accounts.
• Regularly back up data and always store backup files offline.
• Train your employees on how to recognise cyberthreats.
• Use strong, unique passwords and invest in reliable password manager software.
• Always ensure the latest security patches are installed and don’t delay updates.
• Secure your Wi-Fi network with strong encryption and hidden SSIDs.

Safeguarding your business with Cyber Liability insurance

Despite your best efforts, a cyberattack or data breach could still happen to your business. That’s when you may want a backup plan to help you contain the issue and recover. Cyber Liability insurance is designed to help protect you from claims and support your profitability in the event of a cyberattack. Costs associated with defending a cyber claim are also covered.

Cyber Liability insurance could come in handy if you do face a data breach, as the insurer may appoint an IT forensic consultant to help repair compromised systems and investigate the incident. They may also contribute to covering the costs of any legal costs if a claim is brought against you.

You can find out more about Cyber Liability insurance online at BizCover. You can compare multiple quotes and purchase insurance in moments. It’s fast, easy and simple. For on the go cover, go BizCover.