The impending requirement to comply with 116 proposed Privacy Act amendments will put new pressure on small businesses that lack the expertise to manage data governance on their own, experts have warned as a new tool aims to streamline the process.
Those amendments – floated earlier this year after an extensive Attorney General’s Department (AGD) review into the operation of the Privacy Act 1988 – will provide “recalibration to address contemporary privacy risks and meet current community expectations,” the department said in outlining proposed changes that would strengthen the Notifiable Data Breaches (NDB) reporting framework while increasing data protections, transparency, control, security, and enforcement.
The overhaul would also remove a current policy exemption for businesses with turnover under $3 million – exposing around 2.4 million small and medium businesses (SMBs) to burdensome new governance requirements and potential severe penalties for the first time.
With recent figures finding that fewer than half of Australian SMBs see data privacy as a priority – and just 44.4 per cent confident that they have a “well-defined” privacy policy – removal of the exemption will push most of these businesses into uncharted territory.
Sensing a looming ‘compliance cliff’ for SMBs, de.iterate founder and CEO Andrew Lawrence – whose firm last year developed a well-received interactive platform to guide companies to compliance with the ISO 27001 information security standard – sensed an opportunity.
“Most Australian businesses fall into this small business category,” Lawrence told Information Age, “and those types of businesses aren’t going to have a privacy or security specialist.”
By proactively working through all 116 of the mooted Privacy Act amendments, de.iterate adapted its platform into a cloud-based tool that, for $99 per month, helps small businesses assess their privacy practices and guides them towards compliance with the new regime.
“We worked to develop a platform that cuts compliance into manageable compliance tasks, then feeds them to customers on an easy to consume basis that allows them to be good at compliance,” Lawrence explained.
“We’ve been fortunate to have a running start on the legislation, which allowed us to sit back and quietly build this product to the point where we’re happy with it.”
The resulting platform – which will be progressively updated as legislative changes are released – includes elements ranging from a data privacy tracker, supplier register and dynamic privacy policy engine to tools for data privacy request handling and data classification, retention, and disclosure tracking with full auditability.
For good measure, the platform has also been designed to facilitate compliance with the widely supported Essential Eight cybersecurity controls – providing SMBs with clear advice to guide them towards better security practices and privacy compliance.
Companies can implement the system themselves, or work with partners like managed security service providers who can use it to monitor privacy compliance on their behalf.
Staring into the privacy abyss
With recent figures suggesting that one in four small businesses wouldn’t survive a data breach – and anecdotal evidence confirming it – the ability to not only be compliant, but to demonstrate that compliance, will be critical for SMBs as new regulations update a Privacy Act that, Devicie security and compliance director Glyn Geoghegan said, “finds itself a little out of date and out of touch.”
“Looking around the world at gold standards of informed consent and rights over our personal information,” he explained, “shows Australia is now behind the curve on formally acknowledging the rights of the individual and responsibilities of the corporate world over that data.”
After a series of high-profile breaches that affected millions of Australians “we are now all far more aware of the implications of sharing [personal] information,” Geoghegan said.
Repercussions of failed data privacy measures have increased rapidly over the past year, with a flurry of cybercrime pushing businesses to protect data in measurable, actionable ways – with potential financial repercussions for executives who are begging for help as they deal with the world’s least cyber-minded boards and increasingly onerous reporting requirements.