Is your data privacy policy up to date?

5 Top Data Privacy Tips for Your Organisation

  1. Change how you look at data.
    Everything has a price – and people are paying big money for data. Treat data like holding physical gold.
  2. Review your policies often.
    Regulation is rapidly changing, as are the risk profiles. You should be reviewing your data privacy policy at least twice a year.
  3. Take some serious steps to secure the data that you store.
    Focus on your biggest weakness – you and your employees. Get training early and often. Encrypt everything.
  4. Have a plan in place.
    Data breaches are incredibly stressful, and your actions dictate the response of customers and regulators later. Planning ahead can make all the difference.
  5. Ask if you really need the data you’re collecting at all.
    Too many companies collect data without giving thought to the risk they’re taking on. Do you actually need a customer’s full name and address? Could you use a third-party payment processor? Less data = less risk.

Challenges Ahead

Make no bones about it – the last decade has been the decade of data abuse. From monetisation through Facebook and Google to secret government initiatives like the NSA’s PRISM, data privacy hasn’t been very well respected these last 10 years.

It’s hard to see this trend reversing course for the next decade. Reliance on services which monetise personal data is increasing, from Facebook Messenger to Amazon Alexa.

Intelligence legislation is becoming increasingly draconian (more on that below). But perhaps the biggest challenge for data privacy will come from the many new ways data will be used in the next decade.

The buzz in Australia around ‘Smart Cities’ is a perfect example. The premise sounds great – an interconnected metropolis where cars park themselves, streetlights sense movement and traffic flows freely. Powered by communications technology like 5G and mesh networking, it promises a world where everything is connected and working in complete harmony.

But to facilitate such an endeavour, it will mean collecting an unprecedented amount of data – most of it personal. Systems will need to know where citizens are at all times, tracking their every move. AI algorithms will recognise faces and traits, matching them to a personal profile. They’ll pay attention to what people do, what they focus on and who they interact with.

This will obviously provide huge opportunities for both the public and private sector. Governments will be able to automatically monitor citizens and fine them whenever they break a law. Companies will have a behavioural profile that would make current advertisers salivate.

Unfortunately, this is a scary prospect for privacy. The resignation of a senior consultant from Google’s Toronto Smart City project, Dr Ann Cavoukian, summed the emerging trend up perfectly when she said:

I imagined us creating a Smart City of Privacy, as opposed to a Smart City of Surveillance.

It will be challenging to maintain privacy in an increasingly connected and data-rich world, however we believe there’s a huge opportunity for privacy-respecting businesses to differentiate themselves.

Enforcement of Data Privacy

Strengthening Privacy Law

The Notifiable Data Breach scheme (NDS) continues to be the an effective framework for data breaches in Australia.

Recent changes in the NDS allow regulators to fine companies up to A$10 million for concealed data breaches – which may have been what prompted Australian unicorn Canva to immediately notify approximately 140 million users when they discovered a massive data breach in May 2019.

Unfortunately, there’s still a general apathy around protection of user data – and actual regulatory action is relatively low. This is despite Australia having overwhelmingly the highest rate of data breaches in the Asia-Pacific region.

One difficulty facing regulators is that unless a data breach is shared or publicised by the breaching party, many companies either don’t know (or don’t want to share) their breaches. Most reported breaches are examples of companies doing the right thing and following the scheme – so enforcement action against them would be counter-intuitive.

Attack on Encryption

While we’ve made some notable improvements in data privacy regulation, there’s been some equally confusing steps backwards.

While implementing the NDS, the Australian Government was concurrently crafting the Assistance and Access Bill, which was rushed through Parliament at the end of 2018 despite general outcry from the tech sector.

The legislation allows intelligence agencies and police to serve notices on companies which require building secret backdoors, automated information sharing mechanisms, vulnerabilities or even sharing encryption keys. Anyone who refuses faces up to 10 years jail time and very hefty fines.

Not only is the potential for abuse of this system plain (there is little to no judicial oversight), it requires companies to essentially hack their users’ data, share data in secret and leave their systems wide open to exploitation.

Encryption is an essential function of modern business because it protects data privacy – and the new legislation means that companies will be easy targets for hostile actors.

This is a trend we continue to monitor, a trend which makes for a very schizophrenic legislative framework.

The Effect of the European Union’s General Data Protection Regulation (GDPR) on Australia

It’s hard to say the GDPR has been anything but a resounding success. Even here in Australia, far removed from the European Union, many businesses have altered marketing practices and become savvier with data handling.

It’s also forced regulators to change. The Australian Government has taken a number of steps to move closer to the EU, including several pieces of draft legislation which will:

  • require customer data be transferred securely;
  • require accreditation for receiving and processing certain types of data;
  • require destruction of unsolicited data;
  • prohibit use certain data for direct marketing; and
  • heighten requirements for companies to protect data from misuse, interference, loss, unauthorised access, modification or disclosure.

The first leg of this legislation will be rolled out under the guise of an ‘Open Banking’ system, requiring the larger banks in Australia to incrementally share their product data publicly.

If all goes to plan, it’ll mean more consumer visibility and thus, more competition.

We’ve also seen the Australian Cyber Security Centre (an intergovernmental cyber security agency) take increasing responsibility. In concert with similar centres internationally, they’ve released a steady flow of practical, workable information for businesses looking to shore up their data management.

Overall, international privacy regulation seems to be converging. While this may mean short term pain for enterprises as they come up to standard, the regulatory similarities should mean a more workable environment for everyone in the long run.

Questions About Data Privacy? Ask a Lawyer