These days, the risk of data breaches isn’t just something big corporations need to think about. Here are some essential tips and actions to help you protect your data security for your small business.

Some major data breaches have made the headlines recently – and, unfortunately, these are not likely to be the only major data leaks we’ll hear about in our heightened risk environment. If you collect any kind of personal information from your customers, you need to know your obligations under Australian law regarding the collection, storage and safety of that data.

Here are 7 things you need to know about privacy and data security, and actions you can take, to protect your business and customer data.

#1 Know the risks

By understanding the risks of cybercrime, you can take steps to try to protect your customers, your staff and the data you collect and store for your business.

Last financial year, the Australian Cyber Security Centre saw a cybercrime report made every seven minutes, on average. According to their Annual Cyber Threat Report 2022:

  • The average cost of a cybercrime was more than $39,000 for a small business in the 2021-22 financial year.
  • Cyber criminals are continuing to target Australian small businesses and individuals to seek sensitive information.
  • 150,000 to 200,000 small office/home office routers in Australian homes and small businesses are vulnerable to compromise.

Take action

Spend around 20 minutes assessing the likely risks to your business through The Department of Industry, Science, Energy and Resources cyber security assessment tool. Be particularly aware of security around your internet connection and follow these steps to make your network more secure.

#2 Know your obligations

Keeping personal information secure is always important but only some small businesses are covered by the Privacy Act 1988. You can opt in to be covered by the Privacy Act, which could show your customers just how seriously you take their privacy.

Depending your business, industry and structure, your business may also need to comply with:

Take action

Use the Office of the Australian Information Commissioner (OAIC) Privacy Checklist for Small Business or check with your legal adviser to see if your small business needs to comply with the Privacy Act. At the end of the OAIC checklist is information on opting in to be covered by the Privacy Act.

#3 Know what you can and can’t collect

It’s important to only collect personal information that you actually need for your business. As the OAIC website states: “Don’t collect personal information just because it may become necessary or useful at a later date. If you need it later, you can collect it then.”

Some of the data you collect will be personal information such as your customer and staff members’ names and contact details. Other details you need to collect could fall under the category of ‘sensitive information’. The OAIC defines this as “a specific set of personal information that includes an individual’s racial or ethnic origin, religious beliefs or affiliations and sexual orientation or practices. It also includes information about health, genetics and biometrics.”

This kind of sensitive information can only be collected with someone’s consent but may be necessary for your business, for example if you run a healthcare practice.

Take action

Read the Office of the Australian Information Commissioner (OAIC) tips to learn more about your obligations when handling personal information.

#4 Know how to store your data in the safest possible ways

If you do collect and store personal information, you need to proactively protect that information from unauthorised access, modification or disclosure. You also need to protect that data against being misused, interfered with or lost.

Once you no longer need personal information for the reasons allowed by the Privacy Act, unless you are required to keep it by law, you need to take reasonable steps to destroy or de-identify that information.

Action step

Learn about storing data securely in the OAIC Guide to securing personal information.

#5 Know how to protect your data and systems

According to the Australian Cyber Security Centre, keeping your devices and software up-to-date is an important step in keeping data secure. This includes information you might store using cloud-based systems.

When possible, choose automatic updates for your mobile, laptop and computers – but also check in regularly to make sure these updates are being performed correctly.

Multi-factor authentication (MFA) is also an important security measure to consider. This is when someone needs more than one way to confirm their identity. For example, if customers log into an account through your website, you might introduce an MFA system where your system sends a single-use code to their mobile. They would then need that code to use to log in to their account online.

Take action

Follow these tips from the Australian Cyber Security Centre to help keep your systems and devices secure.

#6 Know what to do in the event of a data breach

Under the Notifiable Data Breaches scheme, you need to let customers know if you have experienced a data breach which an organisation or agency that must comply with Australian privacy law has to tell you if a data breach is likely to cause you serious harm.

The faster you act in the event of a cybercrime against your business, the more protection you, your staff or the customer involved could have.

Just as you should have an emergency evacuation plan for your business, it’s important plan ahead for a digital emergency.

Take action

Learn how to help prevent a data breach then use the OAIC’s Data breach preparation and response guide to help you to prepare your own data breach response plan.

#7 Know the resources available to you as a small business owner

The Australian Cyber Security Centre and the OAIC provide a lot of valuable information and tools to help you manage data and privacy risks in your business.

Take action

Learn more about protecting your business online and Explore the OAIC’s range of training resources which could help you and your staff members manage your privacy obligations within your business.

More information

Legal and risk
01 October 2024