Dynamic Business Logo
Home Button
Bookmark Button
SMEs falling short in data privacy obligations: Zoho Report

Image Credit: Zoho

SMEs falling short in data privacy obligations: Zoho Report

The vast majority of Australia’s 2.4 million small businesses are inadequately prepared for sweeping changes to the Commonwealth Privacy Act, according to new research from leading global technology platform, Zoho, which found that only one-third of small businesses currently have a defined and documented data privacy policy.

The research found that one in every four businesses (27 per cent) either do not have a data privacy policy or are unsure if they do. The remaining 38 per cent have an informal policy, an unenforced policy, or have not read their policy.

“Data privacy is one of the defining issues for the business community today. Unfortunately, confusion and uncertainty reign supreme amongst Australia’s small businesses,” said Vijay Sundaram, Zoho’s Chief Strategy Officer.

“Many of those who must comply with proposed legislative changes are woefully unprepared, while the vast majority – whether the Privacy Act applies to them or not – are highly exposed to a breach with serious implications. 

“It’s still too easy for small businesses to overlook their responsibilities when it comes to data privacy, but the threat and the potential cost is real.” 

He added that the technology sector and regulators must prioritise awareness, among small businesses.

“Small businesses cannot be expected to become privacy and cybersecurity experts, so the technology industry and policymakers must make awareness, education and action amongst these businesses a top priority. 

“Otherwise, with regulation becoming more stringent, penalties more severe and attacks more prevalent and damaging, small businesses will be unfairly and disproportionately impacted. For them, a breach could be catastrophic,” Mr Sundaram said.

Credit: Zoho

What is the Commonwealth legislation for privacy?

As per the Office of Australian information Centre (OAIC), the Privacy Act was enacted to promote and safeguard individuals’ privacy and to govern how Australian Government agencies and organisations with annual revenues of more than $3 million, as well as some other organisations, handle personal information.

What are the suggested changes to the legislation?

Currently, the majority of Australian businesses are exempt from compliance with the Privacy Act because of the small business exemption. The small business exemption is a monetary threshold that exempts businesses with annual revenue of less than $3 million from the Privacy Act. The OAIC has proposed that the exception be repealed as part of Australia’s various privacy reforms. 

Employers who handle employee records are also exempt from the Privacy Act. The OAIC has proposed that this exception be also deleted.

Third-party persistent cookies

Third-party persistent cookies, often known as tracking cookies, are saved in the memory of your device and have an expiration date. 

Third-party persistent cookies, on the other hand, are accessed on websites that did not create them. This enables the cookie’s creator to gather and receive data whenever the user visits a page containing a resource that belongs to them.

Credit: Zoho

Slightly less than half (43%) are either uncomfortable or very uncomfortable with their customers’ data being used by companies with which they have no direct contact, 32% are ambivalent, and 25% are either comfortable or very comfortable with their customers’ data being accessed.

The fact that one in three were unsure highlights the importance of education and awareness. This, however, is lacking. 

Only 20% of small businesses say third-party providers have done a good job of clarifying how their data is utilised. In comparison, 31% say suppliers have done a poor or inadequate job, and another 31% haven’t even explored the topic, indicating that basic awareness is lacking.

“Australia is a nation of entrepreneurs, and while running a small business should be celebrated and encouraged, there are critical data requirements,” Sundaram continued. 

“Operating a business – no matter the industry – in a COVID-19 -the normal world will be dependent on collecting more data – for health and safety measures and as a competitive advantage – than ever before. 

“The reforms are designed to protect, but they must allow adequate time to, first, educate small businesses about their requirements and then ensure that they’re compliant.”

Almost half (44%) of the businesses allow tracking on their website to share content on social media sites – some of which have been involved in well-documented privacy breaches. Almost a quarter (21%) use third parties to track advertising activity. 

Google (30%) and Facebook (25%) are the dominant platforms, garnering over half of all small business advertising activity.

Support needed for education, retail

According to the Office of the Australian Information Commissioner (OAIC), the three most common industries to experience and report a data breach are financial services, healthcare and education. 

While almost half of the financial services and healthcare bodies have strong policies and practices, only 22% of educational institutions have a defined, documented and enforced data privacy policy.

Credit: Zoho

Few industries have changed more drastically in the wake of the pandemic than education, with millions of students participating in remote education. Not only do the majority of education providers not have a defined, documented and enforced policy, but they are also three times more likely to say technology vendors had done a bad or unsatisfactory job of explaining data tracking (39%) than those who had done a good job (14%).

With lockdowns closing highstreets for prolonged periods, eCommerce sales have reached new heights over the last 18 months. Despite their reliance on online channels, fewer than one in three retailers (31%) have a defined, documented and enforced data privacy policy; a grave figure as the busy retail season approaches.    

“The nature of our business means that we handle incredibly personal, private information. We’re required to obtain 100 points of identification – including a passport, driver’s licence, date of birth – from every client and store information in an incredibly discreet, circumspect and sensitive way. 

“We have to demonstrate to the regulator that we can keep our client’s data safe, and a strictly enforced privacy policy that we communicate to our clients,” said Ray Trevisan, Fund manager/Director at OTG Capital.

“We use multi-factor authentication, secure blockchain signed documents, password protection and generator tools, so we’re comfortable that we have the systems in place to provide the safety and security that our clients deserve. 

“However, hackers are becoming more aggressive and sophisticated, so we have to be smarter and more diligent in safeguarding our business. The safety of our clients and the reputation of our business depends on it.”

Keep up to date with our stories on LinkedInTwitterFacebook and Instagram.