Australian businesses must place consumer privacy and information security at the core of their 2025 data strategies or face new legal risks in addition to potential operational and reputational damage.
The first tranche of long-expected reforms to Australia’s Privacy Act, the Privacy and Other Legislation Amendment Act 2024, was legislated in late 2024 and will apply to all businesses with an annual turnover above $3 million. Dr. Ian Tho, RSM Australia Partner and one of the country’s leading data analytics experts, emphasized the importance of these changes for all businesses, regardless of size.
“The initial amendment introduces a raft of changes to empower individuals, including a statutory tort that will provide a legal avenue to pursue compensation for privacy-based damage or loss against an organization or individual,” Dr. Tho said. “While lower-earning businesses have been excluded from the updated legislation for now, this may not be the case for future reform tranches, of which at least one more is expected. In the meantime, the increased consumer powers and any resulting legal action will put pressure on businesses of all sizes and sectors to lift their data security standards. “Even businesses that are not legally required to comply will likely experience increased consumer scrutiny, and those that don’t demonstrate respect for personal data autonomy, dignity, and security could face customer distrust or rejection.”
Global context and consumer expectations
The move to better protect the privacy of Australian consumers follows a series of major data breaches and growing awareness of stronger privacy protections in other regions. Europe’s General Data Protection Regulation (GDPR) came into effect in 2018, followed by California’s Consumer Privacy Act (CCPA) in 2020. “Data collection and analysis is a significant priority for small businesses looking to better understand their customers, enhance communications, and tailor products and services more in line with their needs,” Dr. Tho said.
“As privacy regulations continue to strengthen, however, it’s essential that businesses strike a balance between knowing their current and potential customer needs while upholding personal privacy. If an individual has been involved in a previous data breach, for example, their concerns around a lack of data privacy, consent, and transparency could be enough for them to take their business elsewhere.”
Best practices for data security
According to Dr. Tho, best-practice data strategies integrate privacy by design, considering security at every stage of the data lifecycle—from collection and transit to analysis and disposal. Key recommendations include:
- Data Minimization: Regularly reviewing collected information to retain only the most necessary data.
- Retention Policies: Documenting and implementing clear data storage and disposal policies.
- Employee Training: Ensuring staff are trained to uphold compliance requirements and address consumer concerns.
“All businesses should regularly review the amount of information they collect, determine what’s actually being used, and move towards data minimization wherever possible,” Dr. Tho said.
“Documenting and implementing a data retention policy is also key, as well as training employees to ensure compliance and respond adequately to consumer queries, requests, and concerns. Businesses, data analysts, advertisers, and marketers should all be watching this space closely, as it is yet to be seen how future changes may further impact evolving areas like machine learning and predictive analytics relating to customer segmentation and A/B testing, for example.”
Cybersecurity remains a weak point
Data breaches continue to pose significant challenges for Australian businesses. RSM Australia’s recent report, Cyber Storm Rising: Navigating the Path to Resilience for Australian Businesses, examined the cyber preparedness of 150 Australian c-suite executives. Riaan Bronkhorst, RSM Australia Partner in Security & Privacy, noted that the report revealed a lack of preparedness among many businesses. “Only half of Australian leaders were confident in their staff’s capacity to manage a cybersecurity risk, compared to 84% of leaders in the UK and US,” Mr. Bronkhorst said.
“Most concerningly, the report showed that only 66% of large firms and 55% of mid-sized firms have run a response test to a cyberattack within the past year. With privacy and information security regulations only expected to strengthen, it’s critical businesses embed rigorous internal and external testing to identify weaknesses and ensure they can appropriately defend against cyber threats and safeguard consumer data.”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
