Growth Customer Experience Productivity Business IQ Trends Success Stories Tech Solutions Awards Business Tools Subscribe Tech Enquiry
Smarter Staff
Smarter Writer

This article has been written by the Smarter Business™ Staff Writers

Smarter Staff
Smarter Writer

This article has been written by the Smarter Business™ Staff Writers

Whether it’s the local gym or a boutique Retailer it seems that today thousands of Australian businesses have become indifferent when it comes to collecting and warehousing vast quantities of personal data about consumers.

padlock and key
In the past some businesses have taken a relaxed attitude to their privacy obligations and really the whole idea of giving the commissioner increased powers is to ensure people start taking this seriously.

- ALISON BAKER, HALL & WILCOX

Is your customer data legitimate?

Under the new APPs, says Baker, businesses are only expected to gather information if it’s genuinely needed for “legitimate functions or activities”.

That could mean reassessing whether it’s worthwhile collecting personal information about consumers at all.

“Businesses deal with information in various ways and at various levels. If you’re one of those businesses, you need to assess how you’re collecting it, when you’re collecting it, whether you’re collecting the right type of data, and whether you’re collecting more than you need because, if you are, then you shouldn’t be collecting that information. You also need to assess whether you continue to hold on to it or whether you destroy it,” says Baker.

New rules for direct marketing

Changes to direct marketing rules that the new APPs have brought mean that this is an area of business practice that stands out as needing attention to comply with the new principles, according to Baker.

“With direct marketing you have to ensure that you have an opt-out mechanism in every communication and if someone has indicated that they want to opt-out of receiving the communication then you have to comply with that and that’s in cases where you have collected the information directly from the individual and they have a reasonable expectation that you’ll use their personal information to market other products and services."

“If you haven’t collected the information directly from the individual - or you have but they wouldn’t reasonably expect that you’d use it to market products and services - you need to get their consent where it’s practicable to do so and you need to include the opt-out mechanism in the communication. You also need to include a prominent statement that makes it clear that they don’t have to receive the marketing material,” Baker explains.

Clouding the issue: Is your data host up to scratch?

It’s common today for businesses to engage third-party providers to store data and information on their behalf. It can be difficult for some businesses to know with precision where that data is at all times.

That could make it difficult for many businesses to comply with the privacy principles. The new APPs place a responsibility on businesses to protect consumers from data breaches. They make it clear that businesses are responsible for ensuring that their third-party providers are compliant with the regime even if they’re offshore.

“It might just be that a cloud provider stores back-up data for them rather than keeping it on one of their systems they outsource it and put it in a cloud and the operator of the cloud is located overseas,” says Baker. “If that data contains personal information then they’ve made a disclosure to the overseas recipient,” she adds. 

“You need to set out in your policy which overseas jurisdictions you might send personal information to and, if you know them, set out the entities and exactly where it’s going to go. You should also enter strong contractual arrangements with a recipient that sets out an obligation on their part to make sure that they handle the information in accordance with the APPs."

Handling customer requests for access or corrections

“If someone puts in a request to access or correct their information then the starting position is that the business has to provide access and make the corrections. There are some exceptions - if a business doesn’t want to go through that process then they have to respond to the person in writing as to why and make them aware that there are complaint mechanisms that they can use if they’re not happy with the refusal,” says Baker.

The verdict

Collecting consumer data is an essential piece of the puzzle for any small business hoping to use direct marketing to engage their customers. Just be sure that you don't cross the line into privacy invasion - review the rules thoroughly and ensure that you aren't crossing any ethical boundaries.

Dave Macdonald and Annette Kaitinis of Scoot Boot
Growth
Growth
Annette Kaitinis: growing a business means knowing when to trot, canter, and gallop

Annette Kaitinis and Dave Macdonald have taken their small business with a big idea from Tasmania to the world. After just four short years, they're reaching international mark...

Charmaine Saunders of Mainie in store holding a traditional Indigenous-inspired garment.
Growth
Growth
Culture meets commerce: These Indigenous businesses are embracing both

These four Indigenous businesses – NAISDA, Purple House, Bush Medijina, and Mainie – combine commerce and culture. Find out how business works for people by Telstra Smarter Bus...

A photo of a woman from behind working at an office desk
Business IQ
Business IQ
How to empower staff and protect data security

Your cyber security is only as strong as its weakest link and that weak link is often the human element. Cyber security is a human problem. That’s why it is critical to invest...

A large amount of multi-coloured post-it notes lying in a large pile on a white floor.
Productivity
Productivity
How to multi-task and do what matters

As a busy business owner, it’s tempting to try juggling all the balls at once in order to get things done. But using the right technologies and processes – not constantly multi...