At a glance
By Stephen Corby
Consumer data is a hot commodity in the digital economy. The more personal information companies can collect from their current and prospective customers, the more accurately they can target products and services to generate sales and profits.
However, data is quickly becoming a double‑edged sword. With cyberattacks on the rise, businesses risk irreparable reputational damage – and hefty clean-up bills – when their customers’ private information is exposed.
In addition, significant penalties have already been introduced in Australia for breaches of privacy.
In the EU, consumer privacy is protected by General Data Protection Regulation (EU GDPR).
An integral part of the regulation is one’s right to be forgotten. A consumer can request that their personal data be erased if it is no longer needed for the purpose for which a business originally collected or processed it.
A two-year review of the Privacy Act 1988 (Cth)has been conducted to identify how to better protect individuals and their personal information. As a result of that review, EU-style protections may be introduced protections may soon be introduced in Australia.
Has data become the new 'trans fat'?
How every business is affected
Lisa Given, professor of information sciences at Melbourne’s RMIT University, says changes to the Privacy Act will broadly affect how companies conduct business in Australia.
There is a small business exemption in place, but this may be removed as part of the reforms. For the purposes of the exemption, a small business is one with an annual turnover of A$3 million or less.
Changes to Australian privacy legislation “would effectively empower Australian citizens to appeal to Australian companies in the same way European citizens can do currently,” Given says.
“If you’ve got a mailing list, or you’re gathering important information from people and you’re based in Australia, you would have to comply with the legislation,” she says.
“What that’s going to mean for businesses is potentially quite different practices.”
Many privacy jurisdictions also have an existing extraterritorial reach. Businesses that provide goods or services to individuals residing in the EU, for instance, are already subject to some aspects of the EU GDPR.
For many companies, this will mean increased investment in technology and robust processes to ensure customer data can be reliably “erased” when required. The more data a company holds, the more difficult and costly this becomes.
Given also points to other key features of EU GDPR, particularly the requirement for companies to seek active consent from customers for their data to be recorded and retained.
For example, if a company wishes to sign a customer up to its e-newsletter, it would have to actively seek permission to do so. This is already the current approach in Australia due to existing marketing obligations under the Privacy Act and SPAM legislation.
No time like today to prepare
Matthew Green, consulting and risk partner at tax and advisory firm Grant Thornton, says the proposed changes to the Privacy Act are long overdue.
Green’s advice for smaller accounting firms and their small business clients is, the sooner you start preparing, the better.
“The removal of the small business exemption is one of the recommendations [of the review]. This may see many smaller professional services firms having to meet the revised higher standards for privacy protection,” he says.
“While the reforms don’t have a specific timeframe, this should not stop firms from taking action now, as the legislation is lagging the risk, which is in the here and now.
“Firms should declutter their existing data and take steps to remove unnecessary personal and sensitive information – such as those items retained for one-off identity-verification exercises. They should also review processes for future handling of personal and sensitive data.”
The risks of storing a client’s information indefinitely - just in case it may be useful in the future - far outweigh the rewards. This could also expose companies to legal action in the event of a data breach.
Current legislation already requires that personal information not be retained beyond the period for which it was collected, unless another legal obligation applies.
13 ways to improve your digital privacy
An opportunity for best practice
Dr Bruce Baer Arnold, associate professor of business, government and law at the University of Canberra, advises companies to follow “best practice” in dealing with client data. This is to protect their own interests, in addition to their clients’.
“Best practice means, firstly, you don’t collect information just because you can collect information,” says Arnold.
“Secondly, the information that you’ve got is stored securely and only used properly. Thirdly, don’t keep it forever.”
Change on a large scale will mean an increased cost for many companies, but Arnold says there is some good news. “Strengthening your cybersecurity processes, your data management processes, should be assisting you to strengthen your overall processes.”
Organisations such as the Business Council of Australia are calling for caution and care when planning and implementing the reform. In its submission as part of the Privacy Act review, the Council raises concerns around potential barriers to Australia becoming a leading digital economy and its international competitiveness.
Submissions made include detailed advice for small businesses should the small business exemption be scrapped.
Others, such as the Digital Industry Group Inc (DIGI), an association that advocates for members including Google, Meta and Apple, are broadly optimistic. DIGI’s managing director, Sunita Bose, says the changes to privacy should be welcomed, despite any challenges they may present.
“While the implementation of new data systems and customer service channels will be time-consuming for companies that don’t already honour personal information access and erasure requests, these kinds of consumer protections could give Australians more confidence in engaging with service providers,” Bose says.
Arnold and Given agree that consumers and consumer confidence will be the big winners.
This will benefit companies that adapt quickly and embrace new, safer ways of operating.