SMEs with an annual turnover of less than $3 million are exempt from laws in the updated Australian Privacy Principles but could find themselves liable for penalties up to $1.7 million if they don’t remove risks that negatively impact clients who are required to comply.
The series of amendments to the Privacy Act primarily relate to how personal data is handled and processed, particularly its use in direct marketing and disclosure offshore.
“When there is a contract with a larger business who must directly comply with the new legislation, the smaller business must also commit to complying with their privacy obligations,” says Grosser.
“The smaller business will most likely be asked to sign a contract that stipulates they won’t breach the privacy laws.
“They are bound by that contract and therefore liable for huge fines if their privacy guidelines are not up to date as a flow-on effect from the bigger client who could be served from the commissioner”
Grosser says being in the know isn’t just important to de-risk and avoid penalties, but also adds to the reputation of the SME.
“Smart companies shouldn’t view this as another regulatory burden, as privacy is now an integral part of business operations.
“Being compliant and able to market that when tendering for work makes a business that much more trustworthy and attractive.”
With the end of financial year around the corner, now is a better time than any to review company practices, Grosser proffering a number of items businesses should ensure they have checked off.
“Employees will need to be re-educated in many cases to ensure they aren’t breaching the principles.
“They should especially look into contracts with suppliers, particularly software, cloud services and other ICT service providers.”
Grosser, who comes from a teaching and technology background, says it was these IT companies that were traditionally in the firing line when it came to privacy breaches.
However, as most businesses now deal with technology companies or have an IT component, the privacy laws implicate a diverse range of industries.
“The update is driven by technological changes, the way people are interacting with businesses means businesses are privy to more personal information.
“In the past, organisations providing things such as database marketing were considered to be most at risk, but more businesses are being brought under the spotlight with increasing use of cloud computing, software as a service and hosted solutions,” says Grosser.
“The alarming thing is that a lot of businesses don’t know where there data is actually being stored – cross-border disclosure through an offshore call centre may implicate them, the modern-day version of printing a document and sending it in the mail.
“One of the amendments is that businesses must indicate if personal information is leaving the jurisdiction and then specify exactly where it is going.”
The changes to the Privacy Act came into effect on March 12 and as of yet there haven’t been any significant prosecutions.
Grosser says businesses largely appear to be complying, with a positive flow-on effect where privacy is being paid more attention.
Get our daily business news
Sign up to our free email news updates.