Australian businesses must place consumer privacy and information security at the core of their 2025 data strategies or face new legal risks in addition to potential operational and reputational damage.
The first tranche of long-expected reforms to Australia’s Privacy Act (Privacy and Other Legislation Amendment Act 2024) were legislated in late 20241 and will apply to all businesses with an annual turnover above $3 million.
All businesses – large and small – should be aware of the reforms and their legal and reputational impacts.
The initial amendment introduces a raft of changes to empower individuals, including a statutory tort that will provide a legal avenue to pursue compensation for privacy-based damage or loss against an organisation or individual.
While lower-earning businesses have been excluded from the updated legislation for now, this may not be the case for future reform tranches, of which at least one more is expected. In the meantime, the increased consumer powers and any resulting legal action will put pressure on businesses of all sizes and sectors to lift their data security standards.
Even businesses that are not legally required to comply will likely experience increased consumer scrutiny, and those that don’t demonstrate respect for personal data autonomy, dignity and security could face customer distrust or rejection.
The move to better protect the privacy of Australian consumers follows a series of major data breaches as well as awareness of the greater protections given to some international consumers. Europe’s General Data Protection Regulation (GDPR) came into effect in 2018, with the California Consumer Privacy Act (CCPA) following in 2020.
Data collection and analysis is a significant priority for small businesses looking to better understand their customers, enhance communications and tailor products and services more in line with their needs.
As privacy regulations continue to strengthen however, it’s essential that businesses strike a balance between knowing their current and potential customer needs while upholding personal privacy.
If an individual has been involved in a previous data breach for example, their concerns around a lack of data privacy, consent and transparency could be enough for them to take their business elsewhere.
Best practice data strategies integrate privacy by design, considering security at every stage of the data lifecycle from collection, transit and analysis to disposal, and ensuring the highest levels of access control and encryption.
All businesses should regularly review the amount of information they collect, determine what’s actually being used, and move towards data minimisation wherever possible so they hold only the most necessary information.
Documenting and implementing a data retention policy is also key, as well as training employees to make sure they can uphold compliance requirements and respond adequately to consumer queries, requests and concerns.
Businesses, data analysts, advertisers and marketers should all be watching this space closely, as it is yet to be seen how future changes may further impact evolving areas like machine learning and predictive analytics relating to customer segmentation and A/B testing for example.
With data breaches a consistent concern for Australia businesses, RSM Australia’s recent report Cyber storm rising: navigating the path to resilience for Australian businesses canvassed the cyber preparedness and capacity of 150 Australian c-suite executives.
The report illustrates the large portion of Australian businesses that remain underprepared for a cyberattack, with results indicating that only half of Australian leaders were confident in their staff’s capacity to manage a cybersecurity risk, compared to 84% of UK and US leaders.
Most concerningly, the report showed that only 66% of large firms and 55% of mid-sized firms have run a response test to a cyberattack within the past year.
With privacy and information security regulations only expected to strengthen, it’s critical businesses embed rigorous internal and external testing to identify any weaknesses and ensure they can appropriately defend against cyber threats and safeguard consumer data.
RSM Australia.