Few industries collect more data, and utilise it more regularly and effectively, than retail. The personalised marketing, product recommendations and shopper segmentation that retailers use to enhance their customer experience, all stems from data.

However, privacy breaches are increasing in severity and regularity, with the personal information of millions of Australians compromised by high profile breaches in the last 24 months alone. As a result, the Government is extending the jurisdiction of The Privacy Act 1988, to protect more consumers.

For tens of thousands of previously exempt retailers, failure to comply – and better protect, handle and communicate – could see them liable for hefty fines and penalties. Unfortunately, there is much confusion.

Research from Zoho indicates that a quarter of Australian SMBs don’t understand the incoming legislation. A further third are unsure whether they collect data, and nearly half of those that do, do not disclose this to their customers, which is vitally important in not only adhering to incoming regulations but building trust too.

The Privacy Act 1988 in retail

The Privacy Act 1988 governs the management of personal information by Australian businesses and government agencies. It sets out guidelines for the collection, storage, use, and disclosure of personal data, with the primary goal of protecting consumers’ privacy rights. Previously, this legislation only applied to private sector enterprises with an annual turnover exceeding AUD$3 million – which meant that millions of SMBs were exempt.

In the past year, a review led by the Attorney General proposed eliminating the AUD$3 million exemption, which will impact millions of SMBs. The regulations are being extended in response to a surge in privacy breaches. The Australian Cyber Security Centre (ACSC) received over 94,000 reports of cybercrimes during the 2022-23 financial year, averaging one report every six minutes and affecting millions of Australians.

Retail, an industry made up of tens of thousands of small businesses, will be one of the most impacted sectors. Only when we safeguard personal information, can we experience the full benefits of the eCommerce boom. For retailers, compliance is essential; by proactively protecting their customers’ data, retailers not only reduce the risk of fines for non-compliance, but build trust with consumers who are taking online privacy more seriously than ever before.

Building safeguards, proactively

While certain specifics of the legislation, its requirements and the penalties for non-compliance are still being consulted on, the message is clear. Protecting consumer data has never been more important. Retailers who are proactive can carve out a competitive advantage, both in the eyes of their customers and in the eyes of policymakers. Retailers should seek out legal advice to understand exactly what is expected of them, for example from the accountant or local chambers of commerce. However, there are a number of proactive steps they can take to build safeguards and best practice.

Zoho research reveals that 59.4% of small businesses acknowledge their vulnerability to data breaches, yet they often lack proactive measures to strengthen their data security. Establishing a well-documented data privacy policy is crucial for small retailers, ensuring it is effectively communicated to customers and adhered to by staff. Such policies not only reduce the likelihood of breaches by promoting best practice and encouraging proactivity, but they also provide guidance in the event of an incident.

Additionally, smaller retailers must exercise caution when selecting technology providers. Ask your vendors what safeguards and policies their technology has. Understanding the data handling policies of these providers is essential for SMBs, as is choosing browsers – like Zoho’s Ulaa – that prioritise privacy by integrating features such as ad blockers and end-to-end encryption.

Furthermore, integrating various strategies and protections is imperative for retail SMBs. Implementing robust encryption protocols safeguards sensitive data, while regular employee training sessions reinforce best practices and minimise human error. Adopting multi-factor authentication adds an extra layer of security, and regular software updates and security audits reduce risks too.

Responding to a breach

Concerningly, according to our research close to 350,000 SMBs admit to being unaware of the essential steps to take in the event of a breach. Swift containment of breaches is imperative, followed by prompt notification of affected individuals and reporting the incident to the Office of the Australian Information Commissioner (OAIC). Online retailers should also consider pausing sales in the time during and after a breach to ensure the issue is fixed and their website is secure.

Subsequently, retail SMBs should initiate a thorough investigation into the breach, pinpointing vulnerabilities and implementing necessary security enhancements to reduce future risk. By consistently reviewing and updating their privacy policies and procedures, SMBs can significantly bolster their ability to mitigate the risk of future breaches.

The boom in eCommerce has provided new opportunities and customers for online retailers, but in tandem, it has created new risks too. As privacy threats increase, so too does regulation. To help them comply with new regulations, minimise the risk of a breach and maximise trust with customers, policymakers and the tech industry must provide more support and retailers must be more proactive when it comes to privacy.

Vijay Sundaram is chief strategy officer at Zoho.