Insider tips: What every startup should know about the proposed data breach notification laws


What you don’t know can hurt your business. We spoke to a legal tech expert to uncover the best ways to avoid exposing your startup to non-compliance of privacy laws.


At some point this year, the long-awaited mandatory data breach notification bill is expected to become law, which would mean that businesses with an annual turnover of $3M or more would be required to notify their customers and the regulator of all serious data breaches.


That might sound like bigger business than your average startup, and so many businesses will simply ignore the new law when it is passed, assuming they’re exempt. But if you’re in the technology sector or rely heavily on the personal data of your clients, you might not be exempt and could be dealing with personal information (and triggering privacy obligations) without realising it.


We sat down with Alex Hutchens, Partner of Australian law firm McCullough Robertson, to discuss implementing privacy compliance into your culture right from the start.


1. This new law won’t apply to me – why do startups need to be aware of it?


The whole point of a startup is to create a successful business. No magic buzzer goes off when annual turnover exceeds $3m. Startups need to prepare for the fact that once their revenue is healthy, they will be immediately caught by privacy obligations, rather than trying to reverse-engineer privacy compliance into their business.


Secondly, many startups deal with data rich products. Technology is evolving so quickly that even ‘anonymised’ data sets used for big data analysis can be used to identify people, and so you might be unwittingly dealing with information covered by privacy laws even though your revenue is low. Prepare for that now rather than playing catch-up later.


2. What does a serious data breach look like?


Currently under Australian privacy law, notification is only voluntary; if an individual’s information is hacked or inadvertently leaked, they are not required to be told. The flaw in this system is that individuals don’t get the chance to help themselves by cancelling their credit cards, or by resetting all their passwords. The new law aims to fix this flaw. Under the proposed laws, if there is a data breach and as a result there is a ‘real risk’ of serious harm for an individual – you have to notify.


3. What should my response plan look like?


We advise voluntary compliance right from the start of your businesses* – it’s better to be privacy compliant when you don’t need to be, rather than discovering later that you are non-compliant when you should have been. Have technical and operational protections in place to prevent breaches, and implement processes that comply with the notification obligations. Thankfully, as a startup you have a natural competitive advantage being new and relatively flexible, so you can better build systems with privacy in mind.


Plan in advance. A well-run notification process can demonstrate commitment and professionalism which confirms to your customers that you are the right company to do business with.


Overall, you want to establish a culture of privacy compliance. Be on the front foot and minimise any damage both arising from the breach itself, and to your company’s professional reputation.


Want further details on crowd-sourced equity funding? Get in touch with McCullough Robertson for support and advice.


Written by: Thea Christie

McCullough Robertson