I think COSBOA is wrong on possible data law changes
Paul Smith writing at The Australian Financial Review reported yesterday that COSBOA opposes the small business application of changes to data privacy law changes.
The peak body representing thousands of Australian small businesses has warned against imposing the same new data privacy laws on companies of all sizes following the Optus data breach, saying it is unrealistic and unaffordable for smaller operators without extra government support.
The government and privacy commissioner have flagged changes to privacy laws to force companies to take their responsibility to protect sensitive data more seriously. This would include significantly raising fines and extending breach reporting responsibilities to small businesses with turnover under $3.1 million, which are currently exempted.
Alexi Boyd, chief executive of the Council of Small Business Organisations Australia, told The Australian Financial Review it would be senseless to impose new rules that would be impossible for operators like hairdressers and mechanics to meet.
“It’s really crucial that the government, when they’re making decisions like this, consider the impact on small business people of any regulatory changes because ultimately, it will be them who spends the money and the time implementing them,” Ms Boyd said.
“They don’t have IT departments, very few of them have IT management consultants on call, so they will be the ones that have to learn what to do and implement this, and it will potentially be an increased cost of business.”
…
Ms Boyd said the government should follow an approach of “education first, enforcement second” with small businesses, which were now making much greater use of data through software subscriptions and smart point-of-sale devices to operate more efficiently.
She said the digitisation of small businesses had happened rapidly, and that COSBOA would support any measure from the government to help mitigate the risk for both the business owner and the customers, whose data that they hold, which she said could involve education programs and potentially financial assistance.
I own a small business focussed POS software company serving 3,000+ local retailers, and I own four local retail shops in Melbourne. I think the COSBOA position as put is ignorant, and selfish.
Too often I see private personal data disrespected, collected and stored without consideration as to security and necessity. While most businesses I have seen do not fail to respect the privacy of their customers in this way, enough do for it to be a problem.
From what I can see, poor privacy practices are employed out of laziness, not because of the cost of tech or ignorance as to requirements. From what I see, people are lazy, entering credit card details into software that can be hacked rather than taking an easier step of using a secure and separate platform.
The need to respect the privacy of sensitive personal information is not new. No notice is needed as to this requirement.
I hope the government issues new and stringent standards and that they apply equally to all businesses. This is not a time for us to be soft, not for us, especially not for our customers.
The CEO os COSBOA appears to use examples that, to me, are nonsense.
“How do you do that? How do you get a hairdresser, or a cafe owner, or someone who is a fitness instructor to start doing this? What are you expecting them to do?” she said.
“Also, where does the onus and responsibility lie? Does it lie with the software companies that are holding that data, or with the small business owner? How does that even begin to work? It’s not something that you can just flick a switch on, because every small business digitises differently.”
Why would a hairdresser or cafe owner have any private data? For a loyalty program maybe. But not private data like a licence, passport number or credit card number surely?!
And then there is the comment about software. It’s not complex. they party collecting data from the public is responsible as that is where any privacy representation is made.
Also, some software does not store data in a place under the control of the software company. In the cases where it does, the software company has to share the responsibility.
Now is not the time for lobbying to dilute responsibility. We owe our customers more than this.
Let’s see what the government proposes before we get lathered up for a fight about what we think may happen, and then, let’s put the interests of our customers first.