Retailers recognise the importance of digital innovation as a pivotal element in their efforts to drive sales and stand out, especially in critical areas like marketing, customer experience, and product development.

Today retailers big and small harness technology to enhance the quality of their service, by employing methods such as personalised shopping experiences, advanced inventory management systems, e-commerce, and digital customer profiles. However, are retailers adhering to privacy laws and best practice?

Like many other industries, the retail sector is at risk of privacy breaches. Australian retail businesses must comply with data privacy and security regulations, particularly when it comes to their customers. The Privacy Act 1988 mandates that retailers only collect sensitive information if it’s reasonably necessary for their functions or activities, and where they have clear consent from the customer.

Currently, only businesses generating annual turnover in excess of A$3million must adhere to this regulatory framework, but with online threats increasing, the government is consulting on removing the exemption for small businesses.

In the 2021-22 financial year, there was a substantial rise in cybercrime reports across various industries, with the Australian Cyber Security Centre (ACSC) registering over 76,000 incidents. This increase marked a 13% year-on-year rise. Regardless of the specific industry or company size, every business with an online presence is susceptible to potential breaches.

Privacy breaches don’t discriminate; they affect a wide range of businesses, including those who wrongly believe they are at a lower risk. Retail is an industry rich in, and reliant on, small businesses, who play a significant role in the economy. Recent Zoho research into privacy awareness and action amongst small businesses – many in the retail sector – found that a quarter of businesses would fail to survive the financial or reputational damage of a breach.

Awareness is heightened, but action lags behind

As privacy breaches escalate, they are attracting increased public attention. For example, high-profile Australian corporations like Optus, Telstra, and Medibank have had their security breaches widely reported in the media. With so much activity and data shared between consumers and online retail businesses, the industry is as at risk as any. But how have organisations responded to these prominent security breaches?

According to Zoho, there has been an increase in awareness, with nearly half (45.4%) of respondents labelling data privacy a top priority, and an additional 30% deeming it important. Despite this heightened awareness, the research also reveals that many have not taken concrete actions to mitigate their risks. Perhaps the most striking discovery is that a quarter of these organisations would not survive a breach, whether financially or reputationally. According to Deloitte’s Retail Holiday Report, Australian consumers ranked retail third last in a list of industries they trust to handle their data responsibly – a clear sign that awareness must become action.

The threat of the unknown

Retail benefits as much as any industry from data collection, which allows businesses to understand their customers and better tailor their customer experience to their needs. It’s this reliance that makes businesses at-risk, and one of the key industries the government is focusing on with new regulations. Privacy regulations within the retail sector carry significant importance, given that customers are supplying their personal information when making online purchases – often without knowledge or consent.

Making businesses more aware and accountable is why The Privacy Act 1988 – a federal statute governing the collection, use, storage, and disclosure of personal information – could be extended. Non-compliance with these regulations can lead to significant fines and penalties for retailers. Worryingly, only half of organisations (51.8%) understand the requirements outlined in the legislation, while 22.9% admit to not understanding them at all.

Time to take action

Zoho’s research also found that 18.4% of respondents either didn’t have a data privacy policy or had one but never renewed it. The findings also indicated that only 40.3% had a grasp of the proper steps to take in case of a breach, whereas 13.5%, roughly equivalent to nearly 350,000 businesses, confessed to having ‘no clue’ about how to respond to a security breach.

Achieving immunity from data breaches is an unattainable goal, especially as cyberattacks continue to evolve and become more technical. Nevertheless, there are numerous methods to mitigate the risk and respond effectively. For any online retailer, establishing a well-defined, documented, and consistently enforced privacy policy that is communicated to customers and adhered to by staff is vital.

Digital transformation has revolutionised the way retailers and shoppers engage with one another, but cybercrime and data privacy presents an Achilles Heel. Through heightened awareness, education, decisive action, and the appropriate support, businesses can minimise their risk. Ultimately, safeguarding customer trust and data integrity are non-negotiable for success in the retail sector, today and long into the future.

Vijay Sundaram is chief strategy officer at Zoho.