The removal of this exemption comes amid significant cyberattacks and data breaches in recent years, which have affected retailers including Bunnings, Woolworths and Vinomofo. Consumers have become increasingly concerned about how their data is handled, with PwC research demonstrating that 60 per cent have opted not to engage with businesses due to privacy issues. The consequences of a breach also have the potential to be substantial, with maximum penalties for contravening the act potentially costing millions of dollars. Meanwhile, according to the PwC report, customer churn is about four per cent per significant breach. Dr Philip Bos, a security expert and founder of privacy protection software Bluekee, believes that this amendment is important. However, he told Inside Retail that more needs to be done to ensure that SMEs are up to speed with the changes. “Small businesses are the economic lifeblood of this country and are already burdened with red tape and bureaucracy. [However], privacy is a right and not a privilege, so it trumps in this case,” Bos said. “Once your privacy is compromised, it is done forever. The punter is agnostic to the size of the business from where the loss occurred – the damage to the user is the same.” “But in fairness to small businesses, the government privacy reforms should include advice and training on how to comply. Too often, the government enforces and penalises but does not offer methodologies, processes, or best practices. “If the likes of Optus, Medicare and Latitude can’t get it right, then how is the family business going to know where to turn?” Marginal improvements Bos outlined the importance of close liaison between peak industry bodies and the business community during the drafting and revision of legislation such as changes to the Privacy Act. He also emphasised the need for training and guidance for small businesses and retailers affected by the change – with this ideally coming ahead of the announcement. This, Bos explained, would facilitate more seamless adoption. However, Bos stressed that these changes should not be delayed or deferred due to this, with SME owners likely to put off any cybersecurity and data protection methods for as long as possible. “That’s the nature of operating a small business and having limited resources. However, there’s a crisis of fraud and data loss, as well as the overstoring of information, occurring and that needs to be remedied now,” he said. Businesses of all sizes should reconsider the information they are requesting and storing, and whether details including (but not limited to) age, credit card information and IP addresses need to be captured, Bos said. “Businesses need to understand there’s a paradigm shift, and they can’t continue to cobble up more and more firewalls and backups. Rather, they need to realise that having this data can be a liability. There needs to be some soul searching as to what business stores, and why businesses store it,” he said. And, despite the emergence of technological solutions – which collect the bare minimum details needed to secure a consumer’s digital identity – he believes that take-up has been slow, and that few cybersecurity improvements have been made in recent times. He contended that a strong force, that can facilitate change in the way businesses store and protect data, is public pressure. However, that tends to fade until the next significant hack occurs. “I think if you look back a year or two, and compare it to now, there’s been marginal improvement across the industry,” Bos said. Like driving a car Despite not having the same level of resources, Bos noted that SMEs possess certain advantages over large businesses when it comes to cybersecurity. Due to their relative size, they’re more able to make decisions and act quickly, and are less likely to be bound by unwieldy or entrenched infrastructural systems. “SMEs have the ability to choose new systems, and implement them much faster,” he said. Bos suggested a few tips for consumers to safeguard against cybersecurity breaches. These include a “zero trust” relationship with emails, SMSs and other communication apps, avoiding giving out more information than is necessary, and never giving out your name, date of birth, address or identity document details to unlisted callers. However, he believes this creates an “impossible onus on consumers” – who range in terms of age and technological capabilities – to constantly be vigilant. “I don’t think it’s fair to ask the average person to be technologically savvy, clued up on all the different platforms and watch every minute against data. We can give basic tips, but I fundamentally believe in a digital identity economy, and the government and private sector coming together and creating something,” he said. “It’s like driving a car. All you have to do is get from one destination to another and follow a few rules. You don’t need to be a mechanic or lawyer to understand it. It’s for the masses, and there’s industry behind it making it simple.”