Data privacy: A big issue for small businesses

data, privacy breaches, cyber incidents

As data surpasses oil as the world’s most valuable commodity, businesses are collecting masses of personal information; using it to understand their customers and provide better experiences.

It has also led to a surge in breaches, such as the 2022 incidents with Medibank, Optus and Telstra. Those were just three high-profile incidents amongst thousands, with the Australian Cyber Security Commission (ACSC), the government body in charge of keeping Australians safe online, responding to almost 70,000 cybercrime reports in the last financial year.

In response, the Australian Government is currently consulting on major privacy reforms, which require compliance and have potentially severe penalties for breaches or inaction. At present, most small businesses are exempt, though in a recent review, the attorney-general recommended ending the small business exemption, which would impact about 2.3 million businesses.

The proposed legislative changes come as Zoho research reveals that just 35 per cent of small businesses currently have a ‘defined, documented and enforced privacy policy regarding the personal data collected, used and disclosed through their business’. The research also reveals that 27 per cent don’t have a privacy policy or don’t know if they do, and 38 per cent have an ‘informal or unenforced’ policy. When data is collected transparently and stored safely, it holds great value for small businesses and their customers. Still, as risks increase and policymakers circle, awareness, education and action are essential.

Awareness and education

For small businesses, it is too easy to ignore privacy. Many business owners believe they are too small and do not hold enough data to be targeted. That is not the case as attacks are entirely random, targeting businesses of any size through vulnerabilities in their systems. An attack can disable systems, steal or compromise data, and even use a breached computer to target others.

Unfortunately, they are increasing in regularity and severity, and many of our small-business community are either entirely unaware of the risks or are aware but are not taking action. Small businesses cannot be expected to become privacy experts at the drop of a hat, so the technology industry and policymakers must raise awareness and incentivise action amongst these businesses as a priority – whatever the outcome of current consultations.

Taking action

Even with millions of small businesses currently exempt from the fines and sanctions associated with failure to report a privacy breach, all small businesses as a matter of best practice have a duty to protect their businesses and the data of those using it. Those that fail to do so could be more susceptible to breaches.

With our research demonstrating how few of Australia’s small businesses would be prepared for the policy, we cannot stop at awareness and education; we need to incentivise action. Before extending the proposed reforms, policymakers must allow small businesses a longer period of time to prepare than other targets like large digital platforms, markets and political parties – all of whom have more resources and expertise.

For example, clear, authoritative and jargon-free advice must be freely and easily accessible through government resources, local chambers of commerce, business mentors, accountants and the likes. Technology platforms, meanwhile, must explain clearly to small businesses how data is collected and stored through their software. They must also make data security a built-in foundation of their software. Unfortunately, because data collection is so valuable today, this happens far too infrequently, contributing to the growing risks and regulatory requirements facing small businesses.

Small businesses are more sophisticated than ever, but awareness, education and action are too low. Any reforms to protect consumers are vital and should be celebrated, but small businesses must be given time and guidance to comply. If they are given that support, they – and their customers – can reap the benefits of a data-driven online world.