Skip to content
LegalVision

10 Privacy Tips for Startups

Jacqueline Gibson

By Jacqueline Gibson
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

Businesses should consider privacy obligations when designing their operations from the outset. Australian privacy law generally requires businesses to collect only necessary personal information, keep individuals informed about how their information is used and securely store that information. Building privacy practices early helps reduce compliance risks and operational changes later.

Tips for Businesses

Create a privacy policy and make it easily accessible on your website. Limit the personal information you collect to what your business genuinely needs and inform individuals how you will use it. Secure personal information through technical safeguards, train staff on privacy obligations and review your privacy practices regularly to ensure ongoing compliance.

Summary

This guide explains how Australian business owners can design their businesses with privacy obligations in mind. It is prepared by LegalVision’s business lawyers, and LegalVision, a commercial law firm, specialises in advising clients on privacy law and data protection compliance.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Starting a business comes with many important considerations and decisions to make. But, you must address your privacy obligations from the start. This can save you from needing to make significant structural and operational adjustments at a later time. This article outlines 10 key tips for designing your business with privacy in mind.

1. Develop a Privacy Policy

It is good practice to develop a privacy policy when you are setting up the business. This is because it provides motivation to consider: 

  • what personal information you are collecting;
  • how you are using it; and
  • who you will disclose it to.

A lawyer can help you with considering these points and preparing a privacy policy for your business. Alternatively, if you are tight on funds and your business does not provide a health service or buy or sell personal information, you may wish to start with a template document and update it for your business. You should later have a lawyer review or redraft this template to make sure it is legally right for you.

Once your privacy policy is prepared, you should make it freely and easily accessible. Such as via a link on the footer of your website.

2. Design Your Business to Provide Control Over Privacy

During the design phase of your business, you will make decisions such as: 

  • what personal information you will collect; and
  • how you will collect it. 

Thinking about privacy when you make these decisions can help you build privacy into the structure of your business. 

For example, if you are developing an app, you may choose to have the privacy settings pop up as part of the sign-in process. This will allow users to become familiar with them and make privacy choices before they start using the app.

Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

3. Only Collect the Personal Information You Need

You should only collect personal information which is necessary to a function or activity of your business. 

For example, if you sell t-shirts, you do not need to know the buyer’s date of birth. However, if you decide to offer a birthday discount on your t-shirts, you may need to collect dates of birth, but you should make this feature optional.

You should also delete or de-identify personal information when you no longer need it. 

For instance, if you need to verify someone’s identity and you collect an identification document to do this, such as a drivers licence, you should delete the document once you have verified their identity.

4. Keep Your Customers Informed

When you collect personal information, make sure the person you are collecting information about is aware of your privacy policy.

For example, if you are collecting information through a form on your website, you should have a statement such as the following that hyperlinks to your privacy policy:

‘We collect and handle your personal information in accordance with our privacy policy.’ 

You can alternatively use a collection notice to notify the person about the key details of the collection. A collection notice does not replace a privacy policy. It is an additional short-form document which is helpful to use when notifying individuals that you have their personal information.

A collection notice should refer the reader to your privacy policy for more information and should have a statement similar to that below:

‘See our collection notice for information about how we collect and handle the personal information you input into our webform.’ 

If you update your privacy policy, you should notify customers of this change.

5: Only Use Personal Information for Permitted Purposes

When using personal information, think about why you collected that personal information. 

For example, if you collected the information to create an account for a customer on your investment software, the customer will not want you to use their information to create a publicly available database of marketing contacts. Therefore, you should not do so unless they consent to this. However, in contrast, they may expect you to disclose their personal information to your payment processor to process their payments for the software. 

If you want to use personal information for a new purpose which is unrelated or would be unexpected, you should obtain the individual’s consent. You can do this by letting them know what you plan to do and asking if they agree to this. 

6. Know What Privacy Rights Individuals Have

Individuals that you collect personal information from may have privacy rights. You should know what: 

  • these rights are; and
  • you have to do if someone asks to exercise a privacy right.

Some of these rights include:

Right to Correction

An individual may ask you to correct the personal information that you hold about them. If someone asks you to update their personal information because it is out of date or incorrect, you should do so. You should not impose a fee to correct personal information.

Right to Access

An individual may ask for access to the personal information that you hold about them. It is acceptable to charge a reasonable fee which reflects the true administrative costs to carry out this request. In some circumstances, you can refuse a request. However, you generally must provide access to the personal information you hold about that person after receiving a request.

Right to Anonymity

You should provide the option for your customers to remain anonymous unless it is impractical for you to do so. 

For example, if you hire out cars, it is impractical for you not to identify that person. In comparison, if you offer an online computer game, you do not need to have identifiable information about your users if they can enter a player name.

7. Use Your Contracts to Manage Privacy

Where you use a third party to assist you in providing your products or services, you need to be aware of how they handle personal information. 

For instance, if you work with a digital marketing company to assist with your marketing campaigns, they might need to access your customer databases. Your contracts with the company should set out that they can only access that information to provide digital marketing services. They also should agree to comply with applicable privacy laws

If you are working with third parties located overseas, it is especially important that you have contracts in place with them regarding correctly handling personal information. This is because you may be responsible for the actions of overseas businesses that handle personal information on your behalf. You may have a legal obligation to take reasonable steps to protect any personal information you share with third parties located outside Australia. 

8. Securely Store All Personal Information

Data breaches are a common risk which could bring significant reputational damage to your company. You should make sure that you have stored all personal information securely and safely send it to others when necessary. You can do this by: 

  • using encryption;
  • installing anti-virus software;
  • regularly updating all online tools which handle personal information;  
  • requiring password protection for all business files; or
  • requiring two-factor authentication.

If your business does suffer a data breach, you should act quickly to stop the breach and mitigate any damage. You should also seek legal advice about whether there are further actions you need to take.

9. Train Your Staff on How to Handle Personal Information

Many data breaches are caused by human error, such as sending an email to the wrong address. You can reduce the risk of these types of data breaches occurring by running privacy training for staff. You should hold training at the beginning of their engagement then hold refreshers throughout their employment.

Training should focus on:

  • the appropriate ways to handle personal information;
  • the requirement to inform individuals of personal information collection; and
  • how to respond to requests by customers to exercise their privacy rights.  

You may also wish to put a privacy manual in place to educate staff on privacy practices. This is a useful resource for staff to read as part of onboarding and refer back to when necessary. It also demonstrates that you are taking steps to consider privacy within your business.

10. Regularly Review Your Privacy Practices

The information you collect and the activities of your business will constantly be evolving. It is therefore crucial to: 

  • regularly reflect on privacy; 
  • receive up to date legal advice; and 
  • review all privacy documents at least once every 12 months.

You should carry out a privacy impact assessment if you embark on a new activity which involves: 

  • innovative technology;
  • collecting personal information in large quantities; or 
  • collecting sensitive information such as ethnicity, religion, sexual preference or health information.

A privacy impact assessment is a formal written review of: 

  • your plans;
  • any privacy risks; and 
  • the way you plan to mitigate or avoid any risks. 

Key Takeaways

Setting up your business with privacy in mind allows you to get on top of your privacy requirements early on. This means that you will have less need to make structural changes in the future to account for privacy. It also shows your customers that you care about privacy. The 10 tips outlined above touch on some of the core principles of privacy compliance in Australia. If you have any questions about your privacy requirements as a startup, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 

Frequently Asked Questions


What personal information can my business collect?


Your business should only collect personal information that is reasonably necessary for its activities or functions. For example, if you sell products online, you may need a customer’s name, address and payment details to process an order. However, you should avoid collecting unnecessary information and delete or de-identify it when you no longer need it.


Do individuals have rights over the personal information my business holds?


Yes. Under Australian privacy law, individuals can request access to the personal information your business holds about them and ask you to correct inaccurate or outdated information. Businesses generally must provide access to that information and update it when appropriate.  

Register for our free webinars

Employer-Sponsored Visas: Common Issues and How to Manage Them

Online
Learn how to manage common employer-sponsored visa issues and sponsor overseas workers successfully. Register for our free webinar.
Register Now

Key Contracts Every Manufacturing Business Needs (and How to Get Them Right)

Online
Avoid contract gaps in your manufacturing business. Register for our free webinar.
Register Now

Avoiding Court: Resolving Accounting Client Disputes Without Going to Court

Online
Resolve client disputes without court action. Register for our free webinar.
Register Now

Employment Law Essentials for Childcare Providers

Online
Learn essential employment law requirements for childcare providers and how to manage your team compliantly. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

5 Key Clauses Your Privacy Manual Must Include

Can I Collect Customer Information Without a Privacy Policy?

How Can Businesses Protect Confidential Information?

A Startup Founder’s Guide to Due Diligence

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards