Privacy matters still a major stumbling block for small businesses

website, privacy
Computer laptop online protection shield on internet browser web site or pc with secure connection website vector flat cartoon illustration, security or privacy data access modern design image

Ahead of large scale parliamentary changes that will see many businesses face increased fines and penalties for breaches, only 35 per cent of small businesses surveyed have a defined, documented and enforced privacy policy regarding personal data collected, used and disclosed through their business.

Presently, only businesses with a turnover of more than $3 million and select other organisations must be compliant. However, all businesses as a matter of best practice have a duty to protect their businesses and the data of those using them. Those that don’t could be more susceptible to breaches, which are increasing in both regularity and severity.

According to research conducted by global technology firm Zoho, one in four (27 per cent) businesses either don’t have a data privacy policy or don’t know if they do. Another 38 per cent of businesses have an informal policy, an unenforced policy or have not read their policy.

“Data privacy is one of the defining issues for the business community today,” Vijay Sundaram, Chief Strategy Officer at Zoho, said. “Unfortunately, confusion and uncertainty reign supreme amongst Australia’s small businesses. Many of those who must be compliant with proposed regulatory changes are desperately unprepared, while the vast majority whether the Privacy Act applies to them or not are very vulnerable to a breach that could have significant consequences.

“It’s still too easy for small businesses to overlook their responsibilities when it comes to data privacy, but the threat and the potential cost is real,” Sundaram added. “Small businesses cannot be expected to become privacy and cybersecurity experts, so the technology industry and policymakers must make awareness, education and action amongst these businesses a top priority. Otherwise, with regulation becoming more stringent, penalties more severe and attacks more prevalent and damaging, small businesses will be unfairly and disproportionately impacted. For them, a breach could be catastrophic.”

The report noted that 44 per cent of respondents have allowed tracking on their website to share content on social media sites, some of whom have been involved in well-documented privacy breaches. One in five, 21 per cent, use third parties to track advertising activity, with Google (30 per cent) and Facebook (25 per cent) being the dominant platforms.

The report also noted that many small businesses are unaware and / or ambivalent about the use of third-party cookies that have come to define the debate around data privacy. In fact, 33 per cent are entirely unaware that tracking occurs via cookies in their business in the first place, and a further 32 per cent are aware that it happens but do not communicate it to their customers.

Meanwhile, 43 per cent are either uncomfortable or very uncomfortable with their customers’ data being used by companies they had no direct relationship with, 32 per cent were ambivalent while 25 per cent are either comfortable or very comfortable with their customers’ data being accessed.

The research also revealed that 20 per cent of small businesses believe that third-party vendors have done a good job of explaining how their information is being used, while 31 per cent believe vendors have done a bad or unsatisfactory job. A further 31 per cent hadn’t even considered the issue; evidence that basic awareness is too low.

“Australia is a nation of entrepreneurs, and while running a small business should be celebrated and encouraged, there are critical data requirements,” Sundaram said. “Operating a business, no matter the industry, in a COVID-normal world will be dependent on collecting more data for health and safety measures and as a competitive advantage than ever before. The reforms are designed to protect, but they must allow adequate time to, first, educate small businesses about their requirements and then ensure that they’re compliant.”