Mind the “GAPP”: What to Do If the Privacy Act Doesn’t Apply to Your Business

Mind the “GAPP”: What to Do If the Privacy Act Doesn’t Apply to Your Business

Are you a small business unsure whether the Privacy Act applies to you? You’re not alone.

In Australia, thousands of small to medium-sized businesses collect and store personal information daily—through websites, customer lists, e-commerce platforms, booking systems, mailing lists and more. But not every business is covered by the Privacy Act 1988 (Cth).

This can lead to confusion:

• Do you need a privacy policy?
• What kind of data can you collect?
• What are your obligations if you’re not technically bound by the law?

At Sharon Givoni Consulting, we help businesses navigate these questions clearly and practically – read about our privacy law services https://sharongivoni.com.au/services/privacy-law/.

One of the most effective tools we recommend—especially if the Privacy Act doesn’t apply—is the Generally Accepted Privacy Principles (GAPP) (Read about GAPP here: https://ccsp.alukos.com/frameworks/aicpa-cica-gapp/).

In this article, we will take you through:

1. When the Privacy Act applies to your business
2. What GAPP is and how it works
3. Why GAPP is useful even if you’re not legally required to follow the APPs
4. How we can help you implement best practices in plain English—without the legal jargon
5. Does the Privacy Act Apply to My Business?

In Australia, In Australia, the Privacy Act 1988 (Cth) is the main piece of legislation that governs the handling of personal information. It applies to:

• Australian Government agencies
• Private sector organisations and not-for-profits with an annual turnover of more than $3 million
• Certain organisations regardless of turnover, including health service providers, TFN recipients, credit reporting bodies, and contracted service providers to the government

If your business earns under $3 million a year and doesn’t fall into one of those categories, you may not be legally required to comply with the Australian Privacy Principles (APPs).

But here’s the catch: Your customers still care.

Australians Care Deeply About Privacy

The Australian Community Attitudes to Privacy Survey (ACAPS) is conducted by the Office of the Australian Information Commissioner (OAIC) to understand how Australians view privacy and the handling of personal information.

Key findings from the most recent survey include:

• Australians care deeply about privacy – Over 84% view the protection of personal information as a major concern.
• Trust matters – People are more likely to engage with businesses they trust to handle their data responsibly.
• Transparency is expected – 70% of Australians read privacy policies when using websites or apps, especially before making purchases or providing information.
• Data misuse has real consequences – Many Australians have avoided dealing with businesses due to concerns about privacy.
• Digital environments raise more concerns – There is increasing worry about how personal data is used online, particularly by social media platforms and tech companies.

Apparently, 69% have chosen not to deal with a business because of concerns about how their personal information would be handled and over 70% read privacy policies when using websites or apps—especially when making purchases or submitting personal data.

For businesses, this means that even if you’re not legally required to comply with the Privacy Act, not having a clear and user-friendly privacy policy can:

• Damage customer trust
• Limit your ability to work with partners or platforms
• Reduce investor confidence
• Hurt your brand reputation

This is where we can come into the picture to assist.

What is GAPP? (Generally Accepted Privacy Principles)

The Generally Accepted Privacy Principles (GAPP) are a globally recognised framework for businesses to manage personal information ethically, securely and transparently—regardless of whether privacy laws apply.

GAPP covers ten core areas that together form a practical, principles-based framework for handling personal information responsibly. These include Management, which involves assigning clear responsibility for privacy within the organisation, and Notice, which requires businesses to inform customers about what data is being collected and how it will be used. The principle of Choice and Consent gives individuals control over their information, while Collection Limitation ensures that only the data necessary for the intended purpose is gathered. Another key area is Use, Retention and Disposal, which focuses on using personal data appropriately and disposing of it securely when no longer needed.

GAPP is there to give a common-sense approach to handling customer data.

Is GAPP Useful for Your Business?

If you’re not bound by the Privacy Act, it can be tempting to skip over privacy altogether. But today, privacy is more than compliance—it’s a trust issue.

Case study so it makes sense

We will imagine there is a small online retailer, not covered by the Privacy Act. Her name is Jenna and she runs a boutique online store with under $3 million in turnover. She collects customer emails, shipping addresses, and purchase history.

While not legally required to follow the APPs, she wants to do the right thing and prepare her business for growth.

We helped clients just like Jenna and other clients implement a GAPP-aligned privacy policy, internal procedures for handling data, and an easy opt-in email system. Her customers responded positively, and it helped her secure a partnership with a larger brand that required documented privacy safeguards.

How Sharon Givoni Consulting Can Help

At Sharon Givoni Consulting, we work with creative businesses, tech startups, wellness brands, professional service providers, e-commerce retailers, and more.

We understand that:

• Privacy can feel complex
• You want to do the right thing, but you don’t want to drown in legalese
• Your customers and partners are expecting transparency
• That’s where we come in.

We offer tailored advice and documents (like privacy policies and procedures) in plain English, so you and your customers can understand and trust your practices.

What we can do:

• Help you determine whether the Privacy Act applies to you
• If it doesn’t, guide you through the GAPP framework
• Create clear, easy-to-read privacy policies
• Help you set up internal processes to manage data responsibly
• Give you practical tips to build customer trust
• All while keeping things professional.

Not Sure Where to Start?

That’s totally normal. The world of privacy can be overwhelming, especially with so much information (and misinformation) online.

Contact us today or visit www.sharongivoni.com.au to learn more.

---

Please note the above article is general in nature and does not constitute legal advice.

Please email us info@iplegal.com.au if you need legal advice about your brand or another legal matter in this area generally.