More help needed for Australian SMBs ahead of new privacy laws

Vijay Sundaram, the Chief Strategy Officer at Zoho

The vast majority of Australia’s 2.4 million small and medium businesses are desperately unprepared for the sweeping reforms to the Commonwealth Privacy Act.

According to new research from technology platform, Zoho, they found that just one third of small businesses currently have a defined and documented data privacy policy.

Ahead of large scale parliamentary changes that will see many businesses face increased fines and penalties for breaches, only 35% of SMBs surveyed have a defined, documented and enforced policy regarding personal data collected, used and disclosed through their business.

Only businesses with turnover of more than $3m, and other select companies must comply.

All businesses have a duty to protect themselves and the data of users. Those that don’t are more susceptible to breaches which are increasing in both regularity and severity.

27% of businesses either don’t have a data privacy policy or don’t know if they do and 38% have an informal policy, an unenforced policy or have not read their own policy. 

Executive comments on Zoho’s findings

Vijay Sundaram, the Chief Strategy Officer at Zoho offered analysis of the survey.

“Data privacy is one of the defining issues for the business community today. Unfortunately, confusion and uncertainty reign supreme amongst Australia’s small businesses.”

“Many of those who must be compliant with proposed regulatory changes are desperately unprepared, while the vast majority – whether the Privacy Act applies to them or not – are very vulnerable to a breach that could have significant consequences.” 

“It is still too easy for small businesses to overlook their responsibilities when it comes to data privacy, despite the fact that the threat and the potential cost is real.”

“Small and medium businesses in Australia can not be expected to become privacy and cyber security experts over night. Thus technology industry and policymakers must make awareness, education and action amongst these businesses a top priority.”

“Otherwise, with regulation constantly becoming more stringent with penalties becoming severe and attacks turning more prevalent and damaging, small businesses will be unfairly and disproportionately impacted. For them, a breach could be catastrophe.” 

Third-party cookies have in many ways come to define the debate around data privacy. However, many small businesses are unaware and ambivalent about their use.

33% are entirely unaware that tracking occurs via cookies in their business and a further 32% are aware that it happens but do not communicate it to their customers.

43% are either uncomfortable or very uncomfortable with their customers’ data being used by companies they had no direct relationship with, 32% were ambivalent while 25% are either comfortable or very comfortable with their customers’ data being accessed.

One in three were ambivalent thus a stark contrast that calls for education and awareness.

This aspect is uncomfortably lacking. Only 20% of small businesses believe that third-party vendors have done a good job of explaining how their data is being utilised.

In comparison, 31% believe vendors have done a bad or unsatisfactory job, and a further 31% hadn’t even considered the issue; evidence that basic awareness is too low.

“Australia is a nation of entrepreneurs, and while running a small business should be celebrated and encouraged, there are critical data requirements,” Sundaram continued.

“Operating a business in a COVID-normal world will be dependent on collecting more data for health and safety measures and as a competitive advantage than ever before.”

“The reforms are designed to protect, but they must allow adequate time to, first, educate small businesses about their requirements and then ensure that they’re compliant.”

44% of the businesses allow tracking on their website to share content on social media sites – some of which have been involved in well-documented privacy breaches.

21% use third-parties to track advertising. Google (30%) and Facebook (25%) are the dominant platforms, garnering over half of all small business advertising activity. 

Support needed for education and retail sectors

The Office of the Australian Information Commissioner says the 3 most common sectors to experience and report a data breach are financial services, healthcare and education.

Almost half of financial services and healthcare have strong policies and practices but 22% of education institutions have a defined, documented and enforced data privacy policy.

Few industries have changed more drastically in the wake of the global COVID-19 pandemic than education, with millions of students participating in remote education.

The majority of education providers don’t have a defined, documented and enforced policy, but they are also three times more likely to say technology vendors had done an unsatisfactory job of explaining data tracking (39%) than those who had done a good job (14%).

With the global COVID-19 pandemic induced lockdowns closing highstreets for prolonged periods, eCommerce sales have reached new heights over the last 18 months.

Despite their reliance on online channels, 31% have a defined, documented and enforced data privacy policy, which is a grave figure as the busy retail season approaches. 

Comments on Zoho’s survey findings

Ray Trevisan, Fund manager and Director at OTG Capital also offered his views.

“The nature of our business means that we handle incredibly personal, private information.”

“We’re required to obtain 100 points of identification like a passport, driver’s licence, date of birth from every client and store it in an incredibly discreet, circumspect and sensitive way.”

“We have to demonstrate to the regulator that we can keep our client’s data safe, and a strictly enforced privacy policy that we communicate to our clients.”

“We use multi-factor authentication, secure blockchain signed documents, password protection and generator tools, and therefore, we are extremely comfortable that we have the systems in place to provide the safety and security that our clients deserve.”

“However, hackers are becoming more aggressive and sophisticated, and therefore we have to become more smarter and more diligent in safeguarding our business.”

“The safety of our clients and the reputation of our business depends on it.”