What does privacy compliance cost Australian small businesses?
Small businesses are largely exempt from the Australian Privacy Act 1988 (Cth) and this is likely to continue, given the reluctance in the recent government Discussion Paper to recommend that the exemption be removed. One of the main reasons for the exemption continuing is the cost of compliance.
But what do we actually know about the cost of compliance with the Australian Privacy Act for small businesses?
In our earlier post we covered some of the reasons why we think this exemption should be removed.
This post digs more deeply, to assess what evidence there is of Privacy Act compliance costs for the average small business – in Australia or elsewhere. And how compelling might that evidence be in support of the continuing exemption of small business from the operation of the Australian Privacy Act?
A discussion paper on proposed changes to the Privacy Act 1988 (Cth) (Discussion Paper), released In October 2021, questions whether the small businesses exemption from the operation of the Privacy Act should continue. However, it concludes that that extending the Act to cover small business would involve increased regulatory burden not justified by the risk to privacy associated with small businesses.
The main basis for this is concern around the costs of compliance, particularly for small businesses struggling to recover post-COVID.
According to the Discussion Paper, small business representatives expressed concern about requiring businesses to learn a new set of principles and set up procedures to give individuals access to their personal information. Small business representatives noted that this could be particularly challenging for micro businesses. They also raised concerns about the impact of removing the exemption on the competitiveness of small business relative to larger business due to the disproportionate burden of new compliance costs on small businesses.
Small business representatives pointed out the substantial impact COVID-19 has had, suggesting it would be very challenging for small businesses to bear any additional cost of implementing privacy law changes at this time.
The small business feedback were gathered from direct interactions with small business groups, not from submissions made on behalf of small business. The Council of Small Business Organisations Australia did not submit a response to the earlier Issues Paper released in 2020. The Australian Small Business and Family Enterprise Ombudsman did. In its 1-page submission, the office of the Ombudsman strongly supported retaining the small business exemption on the basis that the exclusion of small business is good regulatory practice:
Tiered or flexible regulatory approaches, including partial or complete size-related exemptions, are critical to best practice regulation. Removing the Exemption would be regressive and counter to policies of reducing the regulatory burden on small business.
The cost of compliance was not raised as an issue, though perhaps implied in the reference to the regulatory burden. No detailed support was provided for the statement.
The Business Council of Australia also made a submission to the Issues Paper but did not refer at all to the small business exemption.
The Discussion Paper itself refers to overseas evidence suggesting that it is harder for small and medium businesses to comply with prescriptive privacy protection requirements and are thus at a competitive disadvantage. Larger firms experience economies of scale with regard to compliance because costs are spread over much larger data sets.
But how real are these concerns and what are the costs likely to be?
Cost of Privacy Compliance – Surveys
Almost all the literature on the costs of privacy compliance relate to the introduction of the GDPR. There is no detailed consideration of the cost of compliance with the Australian Privacy Act. And the most often referred to sources for privacy compliance costs are survey results.
In a discussion of the harmful effects of the GDPR on competition and innovation  Gaal and Oshrit (quoted in the Discussion Paper) note that some commentators have already observed that the costs of organizing a dataset in a way which complies with the GDPR may be high and are characterized by economies of scale. The source for this statement is International Association of Privacy Professionals, IAPP-EY Annual Governance Report 2018. The footnote in the article notes that: This report states that the average firm of 500 employees must spend about $3 million to comply with the GDPR.’
There are other references in the literature to firms of 500 employees having to spend US$3m on GDPR compliance. But is this an accurate assessment of the IAPP-EY 2018 report?
The IAPP-EY Annual Governance Report 2018 asked respondents a series of questions around additional costs resulting from GDPR. The questions asked included:
- How much have you spent (including salaries and benefits) to adapt these current products and services to be GDPR compliant?
- How much do you expect to further spend (including salaries and benefits) to adapt products and services to be GDPR compliant?
- In addition to spending to adapt products and services, about how much do you think you will spend (including salaries and benefits) in your budget to comply with GDPR, not including spending to adapt specific products and services? We’re just looking for your best estimate.
Based on the answers to those questions, the reports states that:
Overall, firms report they will spend a total average of $3 million to address GDPR when all is said and done, and although their spending is slowing down it is not about to stop.
However, Gaal and Oshrit cite the IAPP EY 2018 report as the reference for the statement that the average firm of 500 employees must spend about $3 million to comply with the GDPR, which is not in fact what the report states.
As noted, the US$3million is an average amount across all respondents (74% of which have more than 1000 employees). The report provides a breakdown of GDPR compliance spending based on employee size. For organisations with under 5,000 employees (which the IAPP and EY regard as small to medium businesses), the total spend was closer to US$1m, not the US$3m included as the average across all respondent organisations.
Another issue for the IAPP-EY 2018 report results, and the high costs reported for GDPR compliance, is the extent to which they reflect the size and complexity of the organisations for which survey respondents worked, and may not be not truly reflective of the likely experience of an Australian small business.
For the 2018 report, an English-language survey was sent to subscribers of the IAPP’s Daily Dashboard (likely to be privacy professionals or those with an interest in privacy, and also likely to be employed by organisations with a pre-existing focus on privacy compliance). There were 550 completed surveys. Of those, 74% of respondents worked in organisations with 1000 or more employees, with 20% working for organisations with more than 75,000 employees. Only 27% of organisations represented had revenues less than US$100M, with 54% earning more than $1billion.
It is hard to assess how the findings about costs incurred from this group, where 74% of respondents were from organisations with over 1000 or more employees, would apply to Australian organisations with a turn-over of less than $3 million per annum. There is no way to scale them as no detail was provided as to what the estimated costs were to cover.
Another article published in late 2017 quotes findings from a recent IAPP EY report that small and mid-sized firms (which are organisations with less than 5000 employees) would spend an average of US$550,000 on GDPR compliance. ‘Those costs include the hiring of two new full-time privacy professionals and another two full-time employees with some privacy responsibilities.’ There is no citation for these findings and we have been unable to locate any source.
A third authority for the high costs associated with GDPR compliance is a PWC survey from 2017. Various articles refer to a PWC report as finding that 40 percent of the firms that had finished preparations for compliance with the GDPR had spent more than $10 million.
We have not been able to locate the report referred to.
A different PWC report from 2017 found that 76% of survey respondents planned to spend more than $1 million for GDPR preparations, (not $10m by 40% of respondents).  This report reflects a PWC survey of 200 c-suite executives and General Counsels from large U.S. companies , and so is of doubtful relevance to small and medium Australian businesses.
Cost of Privacy Compliance – GDPR
Perhaps the most compelling and rigorous examination of costs likely to be incurred by small and medium businesses in meeting GDPR compliance costs was conducted in 2013. That research estimated that GDPR compliance would increase the annual IT costs of European small and medium-sized companies by between approximately 3,200 to 7,200 euros, representing between 16 and 40 percent of their yearly IT budgets, depending on the specific industries the companies are competing in. Larger firms with bigger budgets and better internal resources were assessed as likely to fare better. Translating that cost to Australian dollars and in the context of the budgets of small business, a cost of between $5,000 – $12,000 per year is significant and certainly of concern to most small businesses. However, it is worth noting that the annual costs included amounts not likely required under the Australian Privacy Act including the costs of:
- Appointing a Data Protection Officer;
- Maintaining Article 28 Registers of Processing Activities;
- Increased costs of data marketing (because of greater restrictions around the collection, sharing and use of data for profiling and marketing); and
- Conducting a Data Protection Impact Assessment.
The removal of these amount significantly reduces the estimated compliance costs.
Summarising all of the above:
- There has been no assessment of costs for compliance with the Australian Privacy Act for any entity, including for businesses with an annual turn-over of less than $3m per annum;
- The IAPP-EY 2018 report on GDPR compliance has been misquoted, with the figure closer to US$1m for smaller businesses. It also likely reflects the experience of organisations much larger than those covered by the Australian Privacy Act small business exemption, and is based on estimated costs only;
- A PWC report used to support cost estimates is not referenced, cannot be located and again is unlikely to reflect the expected experience of entities covered by the Australian Privacy Act small business exemption;
- The more detailed assessment of GDPR compliance costs is unlikely to be relevant to Australia as it includes costs for activities not required by the Act e.g. appointment of a Data Protection Officer and maintaining a Register of Processing Activities;
- There is no research into actual costs incurred. It would be of interest to assess the real costs for SMBs of GDPR compliance some 3 years after the introduction of the new law, and see how those estimates tally with the estimated costs.
Given the lack of evidence either in Australia or overseas of the real cost of compliance with privacy laws, whether the more comprehensive GDPR or the less prescriptive Australian Privacy Act, might it not be worth conducting further research into the likely costs and how they might be reduced?
It would be useful to have evidence to support the decision on whether or not to maintain an exemption which may no longer be relevant, resulting in increased risks to Australians and ensuring that the Australian Privacy Act remains out of step with international privacy regimes.
How can we help?
If you are an Australian small business and interested in compliance with the Australian Privacy Act, we can help.
We have cost effective solutions for all businesses to help meet compliance obligations, manage privacy risk and ensure the proper protection of all the personal information they hold.
Please contact us firstname.lastname@example.org.
 Those with an annual turn-over of less than $3 million with carve ins, for example, small businesses handling health information.
 Australian Small Business and Family Enterprise Ombudsman, Council of Small Business Organisations Australia, Australian Chamber of Commerce and Industry, Meeting of small business representatives (n 158).
 Council of Small Business Organisations Australia, Meeting of small business representatives (n 158).
 Soumava Bandyopadhyay and Kakoli Bandyopadhyay, ‘The European General Data Protection Regulation and Competitiveness of Firms’ (2018) 16(1) Competition Forum 50, 53.
 Michal S Gal and Oshrit Aviv, ‘The Competitive Effects of the GDPR’ (2020) 16(3) Journal of Competition Law and Economics 349, 370, 373.
 Michal S Gal and Oshrit Aviv, ‘The Competitive Effects of the GDPR’ (2020) 16(3) Journal of Competition Law and Economics 349.
 Ibid, 353
 Ibid, Footnote 23, 353.
 Davis Bus. L.J. The GDPR’s Lose-Lose Dilemma: Minimal Benefits to Data Privacy & Significant Burdens on Business, 137 (2019-2020), which refers o https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf
 IAPP-EY Annual Privacy Governance Report 2018
 Ibid, 78.
 Ibid, xv.
 Ibid, 80.
 IAPP-EY Report 2018, x.
 IAPP-EY Report 2018, vii.
 IAPP-EY Report 2018, 5.
 Nicole Lindsey, Global 500 Faces GDPR Compliance Costs of $7.8 billion, 1 December 2017 CPO Magazine, Global 500 Faces GDPR Compliance Costs of $7.8 Billion – CPO Magazine
 See, for example, The European General Data Protection Regulation and the Competitiveness of Firms, Soumava Bandyopadhyay and Kakoli Bandyopadhyay, ‘The European General Data Protection Regulation and Competitiveness of Firms’ (2018) 16(1) Competition Forum 50, 53, Jackson, O. GDPR readiness in the spotlight. International Financial Law Review, (December 20, 2017), Erin Marine The E.U. General Data Protection Regulation: What Does It Mean for You? Fordham Journal of Corporate and Financial Law, 7 October 2017 The E.U. General Data Protection Regulation: What Does It Mean for You? (fordham.edu)
 Jackson, O. GDPR readiness in the spotlight. International Financial Law Review, (December 20, 2017), refers to the PWC report but does not provide any citation.
 Press Release, PricewaterhouseCoopers, US Companies Ramping Up General Data Protection Regulation (GDPR) Budgets, (Jan. 23, 2017), http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-gdpr-series-pulse-survey.pdf.
 Christensen, Colciago, Etro, and Rafaert (2013)