SME Privacy Compliance: How to Safeguard Your Customer Data

SME Privacy Compliance: How to Safeguard Your Customer Data

Photo by Markus Spiske on Unsplash

  • In addition to the Australian Privacy Principles (APPs), some Australian SMEs may also have legal obligations under the European Union's General Data Protection Regulation (GDPR).
  • The world of regulatory compliance moves fast and failure to comply can cost businesses millions of dollars in financial penalties.
  • Businesses need to develop and implement an organisational culture that respects all aspects of privacy and embeds data protection in all of their systems and processes.
  • Read on to learn about the key strategies to protect your customer data and how to develop a privacy compliance framework to safeguard your business.

Privacy regulation has increasingly become a key risk area for business owners, especially for companies that handle large amounts of customer data.

As a business owner, non-compliance with privacy law can expose your business to severe penalties.

A major non-compliance issue, such as a data breach, can have enormous and far-ranging impacts on your business.

Not only could you be exposed to regulatory penalties in the millions of dollars, but a breach can also inflict significant damage to your brand, reputation and corporate relationships.

As such, it’s critical to have an understanding of your responsibilities regarding data security and the risks associated with non-compliance.

The regulatory compliance landscape is fast-moving and privacy law can be complex. If you are unclear about what’s required, it’s important to seek professional legal advice.

Australian privacy laws and SMEs

The Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) govern the handling of personal information for many Australian businesses, including those that:

  • have an annual turnover of over $3 million;
  • are private-sector health service providers;
  • are contractors that provide services under a Commonwealth contract; or
  • trade in personal information.

Some Australian SMEs may also have obligations under the European Union’s strict privacy laws, the General Data Protection Regulation (GDPR).

The legal application of the GDPR outside of the EU is a complex area, but the high standards of the GDPR are quickly being adopted by many businesses globally as a best practice model.

In addition, many small to medium businesses, particularly those that supply outsourced services to companies that involve data handling (i.e. IT managed service providers etc.) may have contractual obligations to comply with the same privacy laws and obligations as their contracting partners.

Australia introduced a Notifiable Data Breaches (NDB) scheme in 2018, which requires entities that are obliged to comply with the APPs to notify the Australian Privacy Commissioner, and affected individuals, if the business experiences a data breach that triggers mandatory notification obligations under the NDB scheme.

The financial cost of non-compliance

Failure to comply with the APPs and NDB scheme in the Privacy Act 1988 (Cth) (Privacy Act) can attract penalties of up to $2.1 million, with the Australian government planning to increase this penalty to $10 million for serious breaches.

For businesses that need to comply with the GDPR, a breach can carry a maximum penalty of 20 million Euros, or 4% of annual global turnover, whichever is greater.

Beyond fines, breaches are bad news

As well as the often crippling direct impact of financial penalties, a data breach can have other major negative impacts on the business.

Cost of a Data Breach Report 2019, an annual study conducted by the Ponemon Institute and sponsored by IBM (Ponemon Report), found that (on average) the total cost of a data breach is USD $3.92M.

Alarmingly, the Ponemon Report also indicates that more than 1 in 4 companies will experience a data breach within 2 years.

A data breach can result in extensive executive time spent dealing with the fall-out and engaging with the regulator/s, not to mention the costly reputational impacts.

Even in a time where there is so much going on in terms of global and national news, we are still seeing, on an almost weekly basis, data breach incidents making the headlines. 

The damage wrought on an organisation’s reputation can be even more devastating to the business’ bottom line.

Many marketers talk about how trust is the ‘ultimate brand differentiator’; privacy and data protection is a huge part of that consumer trust.

If consumers perceive that an organisation is cavalier with data protection, that trust can be eroded to the point that consumers will prefer to engage with a competitor with a healthier track record on privacy and data security.

A lot of organisations know how valuable their data is; it has almost become a currency in itself and is certainly one of a business’ most valuable assets. Some regard it as more valuable than oil!

If you don’t follow the law in relation to your privacy obligations you can render your valuable customer data almost unusable. There is no point collecting and storing large amounts of customer data if your use for it (due to compliance errors in the data lifecycle) is so restricted that it is practically worthless.

What are the key strategies for protecting customer data?

When we talk about operationalising privacy, we mean integrating privacy compliance and data protection across all of your company operations. This means a cross-departmental, holistic approach that involves the entire business.

Privacy is not just about cybersecurity or policies and procedures. Many data breaches, for example, are caused by human error or people not following standard procedures.

Businesses need to develop and foster an internal organisational culture that respects privacy and embeds data protection in all of their systems and processes. This is sometimes referred to as the operationalising of privacy.

1. Programmes and training

Because privacy compliance issues can impact various different areas of the business, it is not just a traditional legal concern.

It's important to have a comprehensive training programme so that everyone across the business (not just the legal or compliance departments) can identify and mitigate the risks – including ensuring that staff understand when a contract with a third-party data processor has been entered into or when data has been ‘disclosed’.

Non-legal staff, for example, may not realise that they have signed up to the terms and conditions of an organisation that is handling data on their behalf.

Ensuring that there is open communication and a cohesive approach to data protection across the business helps to ensure all privacy risks are identified and addressed.

2. Company-wide policies

In our experience, one of the biggest mistakes businesses make is to assume that their data is safe because they have robust cyber-security or a diligent legal department.

While these are very important pieces in the data protection solution, every single department across your operations has a role to play in ensuring that your customer data is safeguarded.

With over a third of Australian data breaches (according to the Office of the Australian Information Commissioner (OAIC), Notifiable Data Breaches Report: January–June 2020) being caused by human error, fostering an organisational culture that respects privacy, across all functions of your business, has never been more important.

3. Cross-departmental buy-in and expert advice

A good way to ensure a holistic approach to data protection in your organisation is to secure buy-in from key stakeholders across all departments.

Your overall approach to operationalising privacy needs to recognise that privacy compliance has impacts and responsibilities across all of the limbs of the business (IT, marketing, sales, legal,  HR etc.).

As such it can be very useful to have holistic advisory assistance from a trusted thought partner, one that dives deep to understand all of the areas of your businesses and its functions.

Privacy compliance can’t be just a box-ticking exercise either. If data protection is not truly embedded in your business’ culture and across its operations, the risk of human error is magnified.

In 2019, one of Australia’s big four banks experienced a data breach which resulted in the data of 13,000 of its customers being disclosed without proper authorisation, despite the fact that there was a policy in place intended to prevent such a breach.

Documentation, including policies and procedures, is important but operationalising privacy compliance across the business is what is really needed to address risk.

How can I develop a privacy compliance framework?

A robust privacy compliance framework will include the following:

  1. Risk Assessment: Conduct a Privacy Audit, including data mapping, to understand what personal data the business holds and how it is managed.
  2. Back-end documentation: Develop policies and procedures to support privacy compliance: including a Data Breach Response Plan and privacy policies.
  3. Implementation of customer-facing communications: Ensure correct customer notifications and consents; incorporate privacy design into website development and online forms.
  4. A holistic approach: Secure buy-in from key stakeholders across the business to ensure privacy risks are identified, monitored and addressed in a cohesive way.
  5. An organisational culture that respects privacy:  Embed privacy compliance into all of your data handling; build data protection into the design of personal data handling systems and processes to help to combat the risks associated with human error in the data handling chain; make sure the business has an ongoing commitment to privacy training and awareness.

The (necessary) human element in data handling

As highlighted, recent data breach reporting statistics have confirmed that 34% of data breaches are a result of human error. Regulatory reports are also indicating that there is an upward trend in this risk, with more and more breaches being caused by employee and/or contractor mistakes.

Businesses need to incorporate a ‘privacy by design’ approach in order to anticipate, address and mitigate the risks associated with the human element of systems and processes.

This means ensuring that privacy is ‘built into’ new data handling systems and processes at the outset, prior to implementation, and not simply bolted on as an afterthought

One method to ensure this is for business to conduct a specific assessment of the privacy risks and impacts associated with all new projects that involve new data collection or use, or changes to how a business handles personal information (known as a Privacy Impact Assessment or PIA).

PIAs can help your business to identify and mitigate key compliance risks in data handling at the outset of a project or new business arrangement, saving significant time and money in the long run.

What are my responsibilities when third parties are involved?

Businesses also need to be mindful of the increasing prevalence of, and risks associated with, using third parties to process data on their behalf.

To ensure you have effectively operationalised privacy, third parties (such as cloud service providers and managed IT service providers, for example) need to handle your data with the same level of protection and care that you do.

One way to ensure that your privacy culture is extended to include your third-party data processors is to include relevant data protection obligations in your contracts with them.

Mandatory standard contract clauses with third party data processors may even be legally required if you are a business that needs to comply with the strict European privacy law, the GDPR.

The GDPR requires mandatory clauses to be included in third-party processing contracts including details about the scope and purpose of the processing and the details of the type of personal data that is processed.

This forces businesses to turn their minds to the details and the potential risks of engaging third parties to handle personal information on their behalf.

Even outside of any GDPR compliance risks, to truly operationalise privacy compliance, businesses should be undertaking this level of due diligence this every time the company engages third parties to handle its business’ personal information. It is just good practice.

As legal professionals, we advise all clients to review current contracts for privacy content and to give careful consideration to contractual privacy obligations for new third-party data processor suppliers.

Remember, you are trusting these suppliers with one of your most valuable assets - your data!

Why operationalising privacy strengthens your business

Whether or not a business manages to truly operationalise privacy compliance can be a key indicator of the strength of its positioning in the market.

Many small businesses in the early start-up phase may have a greater appetite for risk in general, including privacy risk.

However, as companies move to the next level a key characteristic of a successful SME is often the ability to mature the business’ approach to risk, including privacy compliance risk.

Operationalising data protection across your organisation ensures you are investing in the future of your organisation and positioning for future growth and scalability.

In addition, it is investing in the security of some extremely valuable business assets: customer data and reputation.

Having advisers who you can trust is invaluable to help your business navigate its journey to operationalising privacy compliance, and is critical for SMEs looking to safeguard customer data.

Kara Birch

Director, Policy & Compliance at

I'm a lawyer and compliance consultant with Peripheral Blue, specialising in privacy law and data protection. My experience leading teams and delivering policy, compliance and audit solutions for government agencies (including the Australian Privacy Commissioner and Ombudsman SA) has honed my legislative and policy expertise. This experience is complemented by a commitment to clear communication and effective stakeholder engagement, harnessing the principles of co-design in pragmatic policy formulation. I can assist you to: Understand what laws and regulations apply to your business Check your compliance through assessment and audits -Develop and implement compliance programs and policies Interpret legislation, regulations and complex documentation Conduct privacy audits, privacy impact assessments and data breach assessments Privacy compliance issues related to mergers and acquisitions and GDPR application Educate staff, management and clients on complex policy issues I have helped all kinds of organisations navigate the complexities of legislation and regulatory issues, working with a diverse range of groups spanning the public, private and not for profit sectors. If you have any questions regarding your buisness, please feel free to reach out.