Governments are naturally sensitive to the needs of small businesses, which make up 98 percent of Australian companies and account for 33% of Australia’s economic output. They also employ 41% of the workforce.
Sometimes, however, the political and policy focus on SMEs can blind them to sound policies and reforms that benefit that sector.
Recent federal budget investments in small businesses were significant. A $1 billion Technology Investment Boost allowed for a 120 percent tax deduction on digital and tech business expenses. This includes moving to cloud-based services and a similar conclusion for skill training and capability enhancement.
Good program design involves using the tax system instead of cash grants. SMEs can move customer data to secure cloud platforms, improving cyber resilience and protecting customer data.
While I welcome the tax incentive to increase SMEs’ digital (and cyber) capabilities, I believe that the government should also accompany this investment with vital policy reform. This is why the Privacy Act should cover small businesses.
This would encourage digital adoption and re-platform for small companies with budgets to invest in this sector. This simple step would protect the economy and increase efficiency and productivity throughout the economy.
The net gain for SME sectors is ultimately more significant than the imposition.
The government is updating and reviewing the Privacy Act to keep pace with technological advances and adaptive technology. This is the right thing. It must remove the absurd exemption for small businesses in the Privacy Act. The Act must also be updated to meet digital expectations.
The Act should protect a person’s privacy. Small or medium businesses should not be allowed to give away their data security.
You would be surprised at the sheer size of the customer base in the SME sector’s systems and the consequent exposure to personal information breaches.
I am arguing that small businesses that hold personal financial information for thousands, if not millions of Australians, should be required to ensure that this data is protected and secure.
Cyber-attacks and ransomware do not discriminate between large and small businesses. They tend to attack small companies as they are more challenging to hack.
No matter how big the business is, citizens’ privacy and data should be protected.
If the regime were extended to all businesses, Australians would feel more secure buying services from small businesses to increase their revenue.
The net benefit is also advantageous to the small business owner. Traders must comply with regulations and rules governing financial transactions. Data security compliance should also be a priority.
The EU’s General Data Protection Regulation (GDPR) does not allow small business arrangements. It is considered one of the most advanced privacy regimes worldwide and was referenced in Australia’s Privacy Act review.
The government would be able to remove the exemption for small businesses from Australia’s Privacy Act, making it easier for them to distinguish between processors and controllers of data. This is something that the AIIA has been requesting for some time.
While I understand that some politicians might be nervous about the Privacy Act’s removal of the exemption for small businesses, data breaches should not be taken lightly.
The $1b budget investment could lead to a sensible approach. Minor business violations of the Act may be subject to lower penalties than larger companies while still holding them responsible for protecting critical data. Small businesses could be granted a two-year moratorium before the Act’s effective date.
One small change to government legislation could do more for digital capacity enhancement among SMEs than any other policy lever. It doesn’t even cost a cent – it is the one that government should make.
