Privacy compliance with Sprintlaw: Protecting your business data

In the lead up to the Office of the Australian Information Commissioner (OAIC)'s Privacy Awareness Week (6-12 May 2024), we asked online legal experts and .au member partner, Sprintlaw, to provide us their privacy law compliance tips for businesses. Here's what they had to say. 

Data carries significant value. When you run a business, personal information you may collect should be considered one of your most precious assets. However along with this value, also comes risks associated with having it on your systems.

With the proper legal instruments in place, you can protect the data your business holds.

What does the law say about data protection?

In Australia, we have strict laws that regulate data and privacy. These rules are largely found in the Privacy Act 1988 as well as the Australian Privacy Principles (APP). 

The exact regulations that apply to your business depend on your specific circumstances. Therefore, it's always a good idea to chat with a data and privacy legal expert for professional guidance.

To get you started, we've listed some key data privacy requirements that apply to most businesses below.

Website privacy policy

When you operate online as a business, it's essential to manage your legal obligations, including privacy obligations. A well-drafted privacy policy is critical if your business collects any kind of personal information. Personal information is defined as anything that can identify (or reasonably identify) an individual such as name, email address, phone number, home address, bank details - or if your business has an annual turnover of more than $3 million.

A privacy policy should set out what data you collect from your customers and staff and how you use it. Your privacy policy should be displayed on your website, letting users know how their data is being used. Privacy policies also need to meet certain legal standards. Therefore, it's a good idea to have a legal expert help when getting yours drafted.

Data Breach Notifications 

Notifiable Data Breaches (NDB) are defined under the Privacy Act as data breaches that are likely to cause 'serious harm', such as identity theft or fraud. If this happens, businesses must notify people who are likely to be affected.

So, what do you do if your business experiences a notifiable data breach that is likely to cause serious harm, as set out in the Act? You'll need to notify the OAIC, and then notify the individuals (such as third parties or customers) via a Data Breach Notification.

To ensure you are prepared for any breach, it's worth investing a good Data Breach Response Plan, especially if the NDB scheme applies to your business. A good plan will set out a clear process for your business to follow.

What happens if I don't comply with data and privacy laws? 

Non-compliance with data and privacy obligations set out in legislation have consequences. Your business could face heavy fines and be subject to an investigation by the OAIC. This could impact your business both financially and legally, as well as impact your business' reputation.

When consumers provide businesses with their information, they do so trusting it will be protected. Understandably, consumers prefer businesses they can trust - ideally, make sure yours is one of them by complying with data and privacy laws.

So how do I protect my business's data? 

There are multiple ways to ensure you meet your privacy obligations to protect your business and client data.

Should they be needed, documents like Website Terms and Conditions and a Cookie Policy can help your business operate transparently, by providing your customers with information about how you use their data.

Face-to-face operations also require data and privacy considerations. You may have confidential business documents that cannot fall into the wrong hands. Consider implementing Non-Disclosure Agreements (NDA's) or adding confidentiality clauses into your contracts - that way, you're making it clear what information needs to be kept under wraps.

Ultimately, the right legal protections for your business will depend on factors such as your business' size and operations and need. These should be coupled with cyber security measures to protect your business and client data. Discuss your data and privacy concerns with a legal expert, so they can provide professional guidance on your next steps.

Contributed by Sapna Goundan from Sprintlaw. If you would like to get in touch with the author, you can do so at [email protected].

.au members can access an exclusive offer on a Sprintlaw Membership and select legal services - including a 10 per cent discount on their Online Business Bundle. You'll receive four essential legal documents for your website such as a Privacy Policy and Website T&C's - all tailored to your business by an expert Sprintlaw lawyer. Learn more.

Disclaimer: All content contained in this article is intended to provide general information in summary form on legal and other topics, current at the time of first publication. The content does not constitute legal (or other) advice and should not be relied upon as such. You should obtain specific legal or other professional advice before relying on any content contained in this publication.

Privacy