SMEs are critical to the economy. So how secure is their data?

Simon Bush

With 98 per cent of Australian businesses comprising of small businesses contributing a third of our economic output and employing 41 per cent of the workforce, governments are naturally attuned to their needs.

However, the policy and political focus on SMEs sometimes blinds them to good policy and necessary reforms that benefits that sector.

The federal government’s recent Budget invested heavily in small business, with a $1 billion Technology Investment Boost that allows for a 120 per cent tax deduction on digital or tech business expenses – including moving to modern cloud-based services and a similar deduction for skills training and capability uplift.

Using the tax system rather than cash grants is good program design and SMEs moving customer data into secure cloud platforms will both improve cyber resilience and increase the protection of their customer’s data.

Simon Bush
AIIA policy general manager Simon Bush

Whilst this tax incentive to uplift digital (and cyber) capability among SMEs is welcome, I believe the government can and should accompany this investment with another vital policy reform. That is that small businesses should be captured under the Privacy Act.

This would drive much needed digital adoption and re-platforming for smaller companies leveraging the budget investments in this sector. Whilst protecting the economy, the simple move would also drive greater efficiency and productivity across the economy.

Ultimately the net gain for the SME sector is greater than the imposition.

The government is currently reviewing and updating the Privacy Act to reflect advances in technology and adoption which is the right thing to do. However, it needs to remove the nonsensical exemption that applies to small business in the Privacy Act as part of its review, and it must update the Act to meet modern digital expectations and safeguards.

A person’s privacy and the protection of personal data should be protected under the Act, and being a small or medium business should not give you a ‘get out of jail free’ card for poor cyber security and protection and control of data.

The size of the customer base that resides in the systems of the SME sector and therefore the exposure of personal information breaches is more substantial than you would think.

My point is that a small business that holds the personal financial information of thousands if not millions of Australians should not be excluded from mandating that their data is secure and protected.

Ransomware and cyber-attacks do not discriminate between small and large businesses. Indeed, they tend to target small businesses because they are easier to breach.

A citizen’s data and privacy should be protected no matter the size of the business.

In fact, if the regime was extended to cover all businesses, then Australians would feel safer in buying services from small businesses which will boost their revenues.

Again, the net gain is advantageous for the small business operator. Traders have to comply with rules and regulations around financial transactions and therefore compliance around data security should be no different.

The EU’s General Data Protection Regulation (GDPR) has no such small business carve out which is one of the more advanced privacy regimes in the world and referenced in Australia’s Privacy Act review.

The removal of the small business exemption in Australia’s Privacy Act would also make it easier for the government to include a distinction between controllers and processors of data which the AIIA has been calling for some time.

I recognise that the removal of the small business exemption in the Privacy Act would make some politicians nervous, but so should the risk associated with data breaches.

A sensible approach off the back of the $1b investment in the budget would be that the penalties for small business breaches under the Act could be a lesser amount than for larger companies – while making them accountable for securing important data. It could also give small business a two year moratorium before it takes affect.

This one small amendment to government legislation would do more to uplift digital capacity among SMEs than any other policy lever and it doesn’t cost a cent – its one the government should take.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories