Risk Tip: New Privacy Obligations for Small Businesses

Graphic representation of Australia's Privacy Act reforms, highlighting the impact on small businesses' privacy obligations and data privacy policy updates.

After a comprehensive review of the Privacy Act, the Australian government has responded to proposals for a reform of Australia’s privacy guidelines. This is a significant development after these proposals were put forward back in February 2023. The government has agreed to changes that will impact businesses across the country, including a crucial shift for small businesses with an annual turnover of $3 million or less. The proposed removal of the exemption to the Privacy Act is set to bring about new data privacy obligations, prompting affected companies to re-evaluate their approach to personal information.

Currently, businesses with an annual turnover of up to $3 million are not bound by certain privacy obligations. One of the biggest concerns is that they are not required to keep personal information secure or to notify affected individuals in the event of a data breach. However, with the government’s recent support of the proposals, this exemption is under scrutiny, which may see these previously exempt businesses adapt to the changing regulatory landscape.

Key Proposals and Reforms

The government’s approval, or tentative agreement, on most of the 116 proposals suggests a significant range of changes are on the horizon. One of the critical alterations is the removal of the Privacy Act exemption for small businesses, impacting approximately 2.3 million SMEs. With this change will come the need for these businesses to revisit their data privacy policies, particularly in how they treat and store personal information.

The government is also contemplating an expanded definition of the term “personal information”. This extension would include IP addresses, cookies, and device identifiers, as well as situations where an individual may be “reasonably identifiable” even if their identity is unknown. The proposed reforms also include the requirement for businesses to seek informed consent, enhanced protections for children, and increased accountability for handling individuals’ information.

Risk considerations for businesses

In light of the imminent reforms to the Privacy Act, businesses face heightened risk considerations, particularly in ensuring the secure storage of personal data. With the proposed removal of the Privacy Act exemption, there is a pressing need for entities to re-evaluate their data management practices. The safe storage of personal information is essential to comply with these potential future obligations, but first and foremost, it’s essential to safeguard sensitive data against unauthorised access. As cyber-attacks become more sophisticated and relentless, the risk of data breaches is very real.

In this context, the significance of cyber insurance cannot be overstated. With the removal of the Privacy Act exemption, businesses must recognise the critical role of cyber insurance in mitigating damages associated with data breaches. With the proposed update requiring businesses to notify all affected parties of a data breach, the potential ramifications for the business are significant. Cyber insurance provides a safety net, covering aspects such as business interruption and reputation or brand damage in the event of a security incident — depending on the severity of the data breach, a business may be left dealing with an extended period of interruption, mandatory notification of impacted parties, and significant brand damage to repair.

Act now, regardless of the reforms

Regardless of the government’s endorsement of reforms and the proposed removal of the Privacy Act exemption, businesses concerned about risk should consider undergoing a comprehensive reassessment of data privacy policies and practices. As the risk landscape evolves, securing personal data may become a legal obligation, but also a risk management strategy in the face of increasingly sophisticated cyber threats.

Recognising the potential for business interruption and reputational damage following a data breach, it might be worth considering cyber insurance as part of comprehensive risk management.

By proactively embracing these proposed changes, businesses are given the opportunity to strengthen their defences against cyber threats, adapt their privacy practices, and leverage risk mitigation to navigate the evolving world of data protection.

If you would like assistance with cyber insurance and risk mitigation, please do not hesitate to contact us at Barrack Broking.


Subscribe to our newest insights

Nii Author Profile
Barrack Broking

In 1849, an Australian insurance company and mutual society was founded. It opened its doors in a small office above a fruit shop in Sydney, opposite Barrack Gate… and rose to become the largest insurer in the British Empire. Today, Barrack Broking is opening its doors. 170 years later, albeit embracing those same values and insuring Australian greatness.

  • This field is for validation purposes and should be left unchanged.
Contact Us
  • This field is for validation purposes and should be left unchanged.

Share This

Select your desired option below to share a direct link to this page