As Australia prepares for significant updates to its privacy laws, small businesses should start preparing for changes that could soon impact how they manage personal data. The Privacy Act 1988 (Cth) has historically exempted businesses with an annual turnover under $3 million. However, that exemption may soon disappear, bringing a host of new compliance obligations.

Key Upcoming Changes

1. Protecting Children’s Personal Information

The Office of the Australian Information Commissioner (OAIC) will develop a Children’s Online Privacy Code. This code will likely target social media and internet services accessed by children, adding extra layers of protection for their personal data.

2. Deleting and Reviewing Personal Information

Businesses will need to adopt technical and organisational measures to secure personal data, including making sure that they review the information they hold on a regular basis and delete information no longer needed.

3. AI and Automated Decision-Making

Entities using AI or automated decision-making that significantly affects individuals will need to disclose these practices in their privacy policies and consider how they can protect personal information while using AI.

4. New Legal Mechanisms

Proposed changes also include introducing a tort for serious invasions of privacy and a country whitelist for secure international data transfers that the OAIC recognise as having laws equivalent to Australian privacy laws.

Expected changes for the next round of new legislation

A very important change that was foreshadowed by the Australian Government, but is not included in the Bill, is the removal of the small business exemption. This would mean that small businesses that have never had a turnover of more than $3 million would need to make sure that they are in compliance with the Privacy Act. Although this change is not featured in the Bill, businesses are encouraged to start aligning their data practices with the Privacy Act now.

Best Practices to prepare for 2025 and beyond

Given these impending changes, here are steps small businesses can take now:

Create a Privacy Policy: Even if not currently required, having a clear, accessible policy outlining how personal information is collected, stored, and used will future-proof your business.

Obtain Consent: Always secure consent when collecting sensitive information, using third-party data, or engaging in direct marketing.

Secure Data Properly: Implement both technical and organisational measures, such as staff training and secure software systems, to protect personal information.

Prepare for Deletion Requirements: Regularly review stored data and ensure mechanisms are in place for secure deletion when information is no longer needed.

Review Use of AI: Ensure transparency in decision-making processes involving AI or automated tools, and update privacy policies accordingly.

Staying proactive and aligning data management practices with evolving privacy laws will not only help Australian small businesses remain compliant but also build trust with customers in an increasingly data-conscious world.

Please reach out to us for more information or advice at Grazia@GraziaLegal.com.au