14 May 2026
Data privacy is a concern, even for small businesses
Governments are clamping down on business that hold sensitive data. Around the world, governments are clamping down on privacy and data security to better protect individuals’ information. Organisations are obliged to ensure due care and due diligence, and failure to do so can result in penalties. In fact, it is clear that governments require due diligence with respect to privacy and data security across many industries.
Key Data Privacy Laws Affecting Small Businesses
Australia’s privacy laws are centred around the Privacy Act 1988. This Act sets out how organisations must collect, store, use and protect personal information. Depending on the type of work a business performs, additional obligations may also arise through health records legislation, contractual requirements, industry standards or government procurement rules.
Over the years, we have seen businesses surprised to discover that privacy obligations can arise not just from legislation, but from contracts, client expectations and the simple responsibility that comes with holding other people’s information. Understanding where those obligations begin is an important part of building trust and reducing risk. Also, governments are clamping down on privacy and data security to raise the overall standard of how organisations handle information.
Best Practices for Data Privacy Compliance
Good privacy practice is rarely the result of a single product or policy. In our experience, organisations improve privacy outcomes by steadily building good operational habits into the way their systems and teams work every day. Meanwhile, governments are clamping down on privacy and data security to encourage these best practices among both large and small businesses.
For small businesses, some of the most effective measures are also the most practical: limiting access to sensitive information, encrypting data wherever possible, regularly reviewing who can access systems, and ensuring staff understand their responsibilities when handling client information. Regular audits of cloud platforms, user accounts and third-party services can also reveal risks that quietly accumulate over time.
We often find that smaller organisations assume they are “too small to be targeted.” In reality, their greatest risk is usually accidental exposure, unclear processes or overly broad access permissions. Strong privacy compliance comes from knowing where information lives and how it moves through the business. Furthermore, maintaining enough visibility and governance helps to keep control of it as systems evolve.
Consequences of Non-Compliance
Australian regulators have increasingly signalled that organisations cannot simply outsource responsibility for security and privacy risks. A widely discussed example was Australian Securities and Investments Commission v RI Advice Group Pty Ltd, where the court found that inadequate cybersecurity practices exposed the organisation to foreseeable risks. Many of the issues arose across authorised representatives and external environments. The case reminds us that organisations are expected to take reasonable steps, usually described as due diligence to understand and manage the systems and providers they rely upon. Clearly, governments are clamping down on privacy and data security and will continue enforcing compliance.
In our experience, organisations are rarely careless on purpose. More often, systems simply evolve faster than governance around them. Permissions accumulate, processes become informal, and assumptions replace visibility. That is why regular review and clear operational controls are such an important part of protecting both data and reputation.
Useful references:
