How much of a risk are you prepared to take ?


What is the Privacy risk threshold of your business ?
What is your personal threshold ?


Whether your business needs to comply with Privacy regulations or not, you have a responsibility to your clients and employees to protect their personal information. They expect your business to act as a trusted custodian of their personal information.

Take a few minutes to read on and reflect on how much you are willing to risk…..

What is your risk threshold ?

Here are a few questions you need to ask yourself about your business practices, and the level of risk you are prepared to endure. It’s not a comprehensive list but will hopefully help.


  1. Does your business need to comply with any Privacy regulations?

You must be compliant with the Regulatory environment you are operating in. In some cases, this may extend outside Australia to other jurisdictions such as the European GDPR.

However, even though your business may not be required to comply, you have a moral obligation to protect your clients personal information. They expect it !!!

They may not necessarily think about it beforehand, but they definitely will when a breach occurs. In their eyes, it will not be an excuse that your business doesn’t need to comply with a regulation.

Clients will look elsewhere if they do not trust your business.


  1. Do you know where your businesses personal information is ?

To protect it, you must know what information you have, where it is located, is it secure and who has access to it.

Furthermore, the same applies to your information being transmitted to and from various devices and systems.

It’s vital to create a register of one of your most critical assets and keep it current.

Do not forget to include mobile phones, USB drives, personal Email accounts, personal laptops, etc.


  1. Have all reasonable steps been taken to ensure there is an appropriate level of protection of your businesses personal information ?

A Privacy Policy is not enough. It needs to be backed up by procedures and practices that are well understood and adhered to by all staff and contractors.

Regular IT and Office security audits is a must.


  1. Are you confident the 3rd parties, who handle your businesses personal information, have taken all reasonable steps to protect it ?

Stringent due diligence must be conducted on all 3rd parties. It is your responsibility to ensure they are aware and meet their Privacy obligations.

A 2018 survey in Australia, found 67% of business owners are not confident.

Is it any wonder there is a growing lack of confidence within the community ?


  1. Is your staff and contractors fully aware of their responsibilities in handling personal information ?

A sustainable Education and Awareness program will go a long way to reducing human error.

Whether it is new or long-term employees, everyone needs to be constantly reminded of their responsibilities. The best thing about this initiative, it’s totally up to you how effective you want it to be. It’s in your hands.

Human errors are tracking at 35% of all breaches reported to the OAIC since the introduction of the mandatory Notifiable Data Breach scheme in February 2018. This percentage does not include Email phishing which would bring human errors up to around 60%.


  1. Do you feel confident your business will not have a data breach ?

No business should ever be completely confident (no matter the size). However, you need to feel good that you have taken all reasonable steps within your capacity.

The below numbers from recent surveys in Australia, should be ring alarm bells for every SMB :

    • 9.5 days (average) between a breach occurring and misuse of credentials. It takes 90 days to detect the breach. By then, the horse has already bolted. In fact, it’s already well past the finish line.
    • 53% of businesses have multiple breaches
    • 43% of cyber-attacks are SMBs. They are easier targets and provide least resistance. Out of those 22% are now closed.


  1. Does your business have procedures to handle a Data Breach ?

A brand can be destroyed in a moment with a badly handled breach.

It’s critical to have a Data Breach Response (DBR) plan to provide a structured process in very stressful times.


  1. If you have a Data Breach, will your business survive ?

Breaches not only impact your business but your lifestyle, family, clients and employees.


Do you have any concerns ? 

How much of a risk are you prepared to take ?


If you have even the slightest concern, please contact Privacy Proactive for a no-obligation free consultation about your current situation and we can prepare your business.

A Privacy breach hits right at the heart of your clients’ trust

It has a detrimental impact on your business and can result in business closure.

Without client trust in your business (your brand), you not only lose sales, you gain negative brand advocates that can turn potential clients away from your business as well. (Bad news travels fast, more so these days with social media)!

Client trust is so vital in today’s digital environment where client expectations are increasing, competition is fierce, and clients have a ‘public voice’. Even for small and medium size businesses, it is a brand differentiator (your businesses reputation and values) that could make or break your business. You only have to look at the recent scandals around Facebook or the Australian Banks to see this happening.

The good news is that the degree of negative impact on your business from a privacy breach is in your hands. With a well-prepared ‘Data Breach Response’ (DBR) plan.

If a privacy breach is handled well, it can possibly restore and even enhance your brand’s reputation. It illustrates to your clients that your business genuinely cares about them and their needs.


Statistics of privacy breaches and the negative impact on businesses:

During 2017 in Australia, 43% of cyber-attacks targeted small businesses. Out of those, 22% have closed*. The common thread for many of the closures was poor preparation and handling of the breach resulting in loss of trust, and ultimately clients.

*Australian Small Business and Family Enterprise Ombudsman Cyber Security Guide – 2018


It is important to remember that time matters!

Regardless of the time, effort and investment you have made in building client trust, a delayed response, decision and action post breach – is a poorly handled breach. It will significantly increase negative impacts on your business, its reputation, resulting in loss of client loyalty and sales.


KEY TIPS – for developing and sustaining a Data Breach Response (DBR) plan:

  • Develop the plan with Privacy Experts (leverage accessible information from trusted resources) and with your key staff (leverage internal knowledge, to gain commitment)
  • Conduct on-going reviews of the plan (at least annually or when significant changes take place internally or externally)
  • Conduct regular staff training for those who handle personal information (plus include training in Staff Induction programs)
  • Conduct a mock drill at least once every two years.


KEY BENEFITS – your business can gain with a well-prepared DBR plan:

  • A clear and structured process during stressful times of a breach
  • Quickly brings the right people together to respond effectively (such as IT, legal, etc)
  • Documented findings and outcomes of the breach situation (know what’s happened and the potential consequences)
  • Effective reports available for management to understand and make an informed decision
  • Minimise likelihood of a re-occurrence of the breach by documented recommendations to upgrade policies and practices
  • Documented evidence of the assessment being conducted to validate effective handling of a breach.


A SMART CHOICE – to minimise negative impact of a breach on your business, speak with the experts at Privacy Proactive. We can help you:

  1. Implement a tailored Data Breach Response (DBR) plan aligned with your business needs
  2. Provide you with support during a privacy breach
  3. Ensure regulatory changes are built into your DBR plan immediately
  4. Review your DBR plan annually
  5. Provide DBR training annually to make sure everyone in your business understands their responsibilities.

How do you protect your business’s greatest asset – your clients’ information?

Your business mindset best be ‘when’ not ‘if’ a privacy breach will occur!

Our working environments have become more digital, mobile and with higher risks that expose our daily business operations. Not all businesses conduct business online however they are all still at risk.

Small to Medium businesses are often a prime target for online hackers and scammers as they typically have lower budgets and less resources they can invest into their security.

Cyber-crime amongst a number of things can include deceptive conduct like theft of critical business information (including your clients’ details) or hacking a business to obtain a client’s details or access to a supplier’s network.

Statistics of small to medium-sized business and cyber-crime incidents in Australia reveal how vulnerable they are*:

  • Cyber-crime cost to businesses in Australia is rising exponentially, costing an estimated $1 billion each year.
  • Cyber-crime is rated by SMEs as the 5th biggest risk to their business however SMEs with a turnover of approximately two million or more, almost 60% stated they did not feel well-informed about the risks of cyber-crime to their business.
  • 93% said they would like a tool. There is a need for risk-management tools for SME owner-operators to protect their businesses from cyber-crime.
  • Only one in five SMEs purchased insurance to protect them from cyber-crime.

*NSW Small Business Commissioner in May 2017

Your client information is an asset worth protecting because it can make or break your business.

There are plenty of hackers out there working on new ways to access your business information, so take steps to protect what’s yours now. Your clients entrust their personal information with you in order to do business with you. Any event of personal information being jeopardised (hacked, unauthorised access or accidentally providing client details to the wrong recipient) can do irreparable damage to your business’ reputation and in some cases close it down permanently.

Whether or not your business must comply with Privacy Regulations, your clients expect you to protect their personal information. By treating their data with the utmost level of care you have a great opportunity to gain a competitive advantage and increase the level of trust in your brand.

Having a robust and sustainable Privacy Program will prepare your business and help:

  1. minimise the likelihood of a privacy breach, and
  2. minimise the damage of a privacy breach
  3. Instil trust in your potential clients so they want to do business with you
  4. Maintain loyalty of existing clients

Clients are becoming more reluctant to share information due to lack of trust in businesses protecting their data.

A survey conducted in 2018 of over 500 Australian SMEs confirms this trend:

  • 46% of SMEs responded – their clients are increasingly opting-out of data collection and sharing information, and
  • 49% of SMEs responded – client’s data is becoming increasingly critical for their day-to-day operations, and 60% to deliver more personalised services to ultimately grow their business.

You can narrow this gap by proactively maintaining your business’s diligence as a trusted custodian of your client’s information and minimise the risk of a breach.

If you would like to know more, Privacy Proactive is your ally in protecting your greatest asset – your clients’ information. Contact Us

A story that could happen to you…..

Protecting customer personal information and minimising risk is often put on the back-burner – until it happens to you.

A recent example reflects this sentiment. I conducted a Current State Analysis; Risk Assessment and provided recommendations for a client (an SME). It was a busy time of year for the client and they didn’t implement the recommendations straight away.

In the mean-time a breach occurred with a customer’s personal information being sent to the wrong recipient.

Management were unsure of the action to take! It’s challenging to determine when notification is appropriate (to notify or not?). Sometimes, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. In my client’s situation it also didn’t help that they had limited information about the privacy breach.

After a quick ‘on-site’ consult, I implemented the Data Breach Response (DBR) Plan specifically tailored for the client. The plan was executed enabling management to have all the information in-front of them to make an informed decision about the breach.  All within sixty minutes!

Not implementing the recommendations to manage and minimise privacy breaches within their business cost management almost a week to be informed about the breach. A lot can happen within one week and breaches that may initially seem immaterial may be significant when their full implications are assessed.

My client realised how ill-equipped their staff were about the importance of handling secure information correctly and what procedures to take in the event of a breach occurring.

Timing and appropriate action can make or break the reputation of a business and ultimately their customers/sales!

I’m a small business owner and understand that the small and medium business environment is very dynamic! Maintaining your customers and growing sales are challenging, not to mention the costs associated with sourcing and training new staff and abiding by regulations.

It’s a passion of mine to help small and medium businesses protect their greatest asset; their customers and their businesses reputation. I’m providing my 35 years of corporate experience, primarily in compliance  and risk management in a cost-effective way for SME’s here at Privacy Proactive.

What are the chances of this happening to me?

  1. Approximately 8 times more breaches are being reported since February 2018 when the Notifiable Data Breaches scheme was introduced
  2. The Healthcare sector followed by the Finance sector are making most reports of breaches
  3. Malicious attacks account for 60% of breach reports with most due to humans (ie: Stolen usernames and passwords) How secure is your data and how competent are your staff in managing it?
  4. Human errors account for 35% with most common error being emails sent containing personal information to the wrong recipient
  5. In 2017, 43% of all cyber attacks in Australia targeted SMEs. Of which, 22% are now closed. SMEs are extremely vulnerably to business interruptions.

Will your business survive a Privacy breach ?

A privacy breach will have an impact on your business. It’s a given.

The degree of the impact is in your hands.

The handling of the breach will have a lasting impact on customer trust.

To the point, it can destroy your brand. However, if handled well, it can possibly restore and even enhance your brand’s reputation.

Having a well-prepared Data Breach Notification (DBN) plan will go a long way to minimising the damage of a breach when it occurs.

A few key tips to developing and sustaining a DBN Plan :

  • develop the plan with Privacy experts (leverage what’s already out there) and with your key staff (leverage internal knowledge and gain buy-in)
  • conduct on-going reviews of the plan (at least annually or when significant changes take place internally or externally)
  • conduct regular training of all staff who handled personal information and include in Staff Induction program
  • conduct a mock drill at least every 2 years.

A well-prepared DBN plan delivers to your business :

  • a structured process during stressful times of a breach
    documented findings and outcomes
  • better understanding of the situation for management to make an informed decision
  • documented recommendations to upgrade policies and practices to minimise likelihood of a re-occurrence of the breach
  • documented evidence of the assessment being conducted