The financial and reputational impact of a privacy breach would be “catastrophic” for one in four Australian small and medium businesses (SMBs) as consumers grow increasingly concerned about privacy but still don’t understand how their data is being used.

New research has found just 45.4 per cent of 784 Australian SMBs named data privacy as a top business priority, new research by productivity software vendor Zoho found, with 30 per cent ranking it as “important”.

Although four out of five respondents said last year’s high-profile breaches of Optus and Medibank had catalysed their privacy concerns, many still hadn’t taken action to improve their privacy practices.

Just 44.4 per cent said they have a “well-defined, documented and applied customer privacy policy”, while one in five companies either don’t have a privacy policy – or do have one but have never updated or reviewed it.

And while 46.2 per cent of respondents said they know exactly what to do if they are hit by a privacy breach, fully 13.5 per cent admitted they would have ‘no idea’ what to do.

Although small businesses are currently exempt from the requirements of the Privacy Act 1988, a growing consensus is that these exemptions should be removed – which would create major problems for the 22.9 per cent of respondents who admitted they do not understand the Act’s requirements.

Mooted changes to the Act’s small business exemption would turn SMBs’ lackadaisical attitudes towards privacy into business liabilities that could, Zoho chief strategy officer Vijay Sundaram warned, prove overwhelming or fatal in the event of a privacy breach.

“The majority of SMBs understand that they’re just as susceptible to a breach as big businesses,” Sundaram said, “however that is still failing to translate into action…. With regulation becoming more stringent, penalties more severe and privacy breaches more regular and damaging, SMBs will be unfairly and disproportionately impacted.”

“For them, a breach could be catastrophic.”

Breach pain drives consumer distrust

SMBs aren’t the only ones feeling the effect of the Optus and Medibank breaches, which – along with this year’s Latitude Financial debacle – affected millions of Australians and forced many to get new identity documents to avoid fraud.

The background disruption of those breaches has put Australia at “a pivotal moment for privacy” as new technologies like artificial intelligence and facial recognition muddy the privacy waters even further, Australian Information Commissioner and Privacy Commissioner Angelene Falk wrote in recently releasing the latest three-yearly Australian Community Attitudes to Privacy Survey (ACAPS) survey – which found the breaches had left a lasting scar on the Australian community.

Source: Roy Morgan

Just under half of the 1916 survey respondents said they had been affected by a data breach in the previous year, ACAPS found, with three-quarters saying they had “experienced harm as a result.”

“Despite the heightened awareness and concern about privacy among the community, there is limited knowledge of what to do about it,” Falk said, noting that just 21 per cent of respondents claimed to have ‘very good’ or ‘excellent’ privacy knowledge and 57 per cent admitting that they care about data privacy but don’t know what to do about it.

A minority of respondents believe the most organisations they deal with are “transparent” about how their information is handled, and 84 per cent said they want more “control and choice” over the way their information is collected and used.

Given that Australia is “on the cusp of the most significant changes to our privacy framework in over a decade,” Falk said, organisations should learn from the report’s findings to learn how they can “do more to build consumer trust.”

Building trust has become harder than ever, Roy Morgan reported after a recent survey that found “dramatically soaring distrust” as data breaches, corporate scandals, and “the poor behaviour of corporate Australia under the ‘cover of COVID’” took their toll.

For the first time, Optus supplanted Facebook/Meta as the country’s most distrusted brand – showing the very real impact a data breach, and executives’ perceived “moral blindness”, can have on company reputation.

Smaller companies might well not survive the impact of such a breach – which is why, Falk said, now is the right time for businesses to get their privacy practices in order.

“We need to consider the laws and practices that will uphold our fundamental human right to privacy and meet community expectations, while enabling innovation and economic growth,” she said.

“Consumers place a high value on privacy when choosing a product or service. They are even prepared to experience some inconvenience if their privacy is guaranteed.”