What changes to the Privacy Act mean for small businesses

Significant changes to the Australian Privacy Act 1988 are on the horizon. They will impact how customer data is handled and bring increased scrutiny from regulators. Understanding and preparing for these reforms will be essential for WA small businesses to remain compliant and build trust with their customers.

The Privacy Act 1988 (Privacy Act) is Australia’s primary legislation that governs the handling of personal information by businesses, including how they collect, store, and use customer data. It currently requires organisations to ensure that any personal or sensitive information they handle is protected and used only for legitimate purposes. 

Responsibilities include:

• implementing security measures to prevent unauthorised access to information
• ensuring that customer data is destroyed or de-identified when no longer needed, and 
• gaining proper consent when collecting certain types of sensitive information. 

While the Australian Government has signalled that there will be a transition period, it’s a good idea to start preparing now by reviewing your privacy practices. 

Removal of the small business exemption

For small businesses, particularly those with an annual turnover of less than $3 million (accounting for about 92 per cent of Australian businesses), many of the requirements to protect data were optional under a small business exemption to the current Privacy Act. 

However, upcoming changes to the Act will soon remove this exemption, making compliance mandatory for nearly all businesses, regardless of size. It’s expected that compliance requirements will depend on the level of risk associated with the business, with small businesses that rely heavily on technology or collect sensitive customer information, likely to face stricter regulations.

Key changes to the Privacy Act

Of the 38 recommendations from the Privacy Act review accepted by the Government, the following are most likely to affect small businesses:

1. Businesses will need to take reasonable steps to secure personal information and destroy or de-identify data when it’s no longer needed.
2. The definition of consent will become more specific, requiring it to be voluntary, informed, current, and unambiguous.
3. Before starting any high-risk activities that could significantly affect individuals' privacy, businesses must conduct a privacy impact assessment.
4. Businesses offering online services accessible to children will need to follow a specific privacy code to safeguard young users' data.
5. The new laws will introduce tiered penalties, with the most serious breaches facing more substantial fines.

What steps should you take now

As the privacy landscape evolves, small business owners should start preparing for the changes by reviewing how they collect, store, and manage personal information. This includes ensuring that all data handling processes are transparent, secure, and compliant with the updated privacy requirements.

Building a privacy program tailored to your business can help manage these changes. A privacy program includes internal policies and procedures that ensure compliance with privacy laws. It’s particularly valuable for businesses collecting sensitive customer data or operating across multiple jurisdictions.

Seeking expert advice early on can also help small businesses navigate these new regulations with ease. Privacy consultants can help develop customised privacy frameworks that address specific compliance needs, reducing the risk of breaches and penalties.

Preparing for the future

With the growing use of digital information and data every year, almost every business uses customer data in some form. While the privacy changes might seem like another obstacle to the day-to-day running of your business, they also present the opportunity to strengthen data protection from external threats. 

For businesses already operating internationally, the upcoming changes may feel familiar, as many countries already enforce stricter data protection laws. Small businesses can learn from global privacy standards to ensure they are not only compliant but also ahead of the curve.

The Privacy Act reforms represent a shift in how businesses interact with personal data, and small business owners must be prepared. Taking steps to comply with the new regulations will not only help businesses avoid penalties but will also create an environment of trust with both customers and employees. By acting early, your business can reduce risks, improve data security, and position yourself for success in a more privacy-conscious marketplace.

More information

• Legal responsibilities: understand your legal obligations as a business
• Is your business at risk of a data breach?
• WA Government: Privacy and Responsible Information Sharing