f you are a startup founder or small business owner, February 22 is an important date: it is the date that the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into full effect.
These new laws require companies that experience any significant data breaches to notify The Office of The Australian Information Commissioner and any impacted clients. Failure to comply can result in responsible individuals – a company’s founder and key employees – being served penalties of up to $360,000, and companies up to $1.8 million.
Although the new legislation states it covers most government agencies and private companies with an annual turnover of $3 million or more per annum – a revenue figure being reached by more and more Australian startups – startups that are pre-revenue up to $3 million are also impacted by the new laws if operating in segments such as healthtech or sportstech, particularly if collecting health related data from users.
Additionally, if a startup handles information like credit reporting, building data, tax data, and basically any personal information of users, then the law applies. Essentially, if you have a database of your users with details like their name, email address, postcode, and actual address, you should be putting in place procedures around how that data is accessed and used in your business.
If employees are accessing data remotely when working from home or on location away from the office, are you able to track everything? Does everyone have their own individual logins for systems that handle user data so that you can trace, for example, the downloading of that data?
These are questions that founders and key individuals working within Australian startup companies need to be asking themselves and actioning with haste if appropriate systems are currently not in place.
You are also required to have in place a standard plan in writing should a data breach occur now or anytime in the future. All employees should also be made aware of this plan and how it is executed if it needs to be.
It is also worth mentioning that hacking is not something reserved for global startups like Uber or tech companies like Yahoo; the majority of data breaches actually happen to small companies and the ‘hacker’ quite often turns out to be a disgruntled or ex-employee of that organisation.
Therefore, the procedures around how startups exit employees – particular the process around revoking access to data-accessible systems – is a key component to any standard plan.
Startups found to have experienced a data breach after February 22 that claim they were not aware that a breach had occurred – even if that statement is true – can no longer use the protection of plausible deniability that was once able to be exercised under the Act. These new laws mean no company in Australia can be wilfully blind to any data breach occurring because its data is protected and its usage is trackable