PRIVACY – YOUR BUSINESS RISKS, PRIORITIES AND ACTIONS
Over 70% of all Australians consider privacy a major concern in their lives and privacy is widely accepted to be one of the most critical considerations for any business, especially those that handle customer data. There are obvious challenges and risks in managing privacy, in meeting the related legal obligations, and in integrating it all with business operations. Some very public failures of privacy, and businesses, are ongoing discussion points with our peers and have obvious lessons to be learnt. But are we really looking at what the lessons are, or are we just accepting some not defined risk?
Information privacy and security is a consistent, growing topic. Expectations continue to rise with our customers, the public, our industry and the law. Recent years have seen information privacy and security move from being a responsibility of ‘the IT Department’ to where expectations and accountability now extend widely throughout an organisation and ultimately have Directors, Boards and Executive Management personally, and often financially, responsible.
And privacy failings do not have to arise from something being ‘hacked’ or poorly managed. In just the first half of 2021 30% of all Australian data breaches were caused by very simple, human error, such as sending information to the wrong recipients. And bad news travels fast, modern social media loves failures and will rapidly report and build on them, whether you like it or not. The resulting reputable damage is very hard to quantify, but it will be large, and it is even harder to manage and recover from, with significant unplanned costs, resources and time that will disrupt any previous business plans. The trust and confidence of customers and business partners is a hard won, yet potentially fragile, asset.
The responsibilities for managing private, personally identifiable information continue to be defined and tightened with increased legal emphasis in management, reporting and penalties. Business compliance and currency with best practices needing to include consideration across other jurisdictions (such as Europe’s GDPR) and cross-border information, where ‘cross-border’ may be as simple as having a ‘local’ customer whose residential address is in Europe or holding information from one State in another.
Managing personal health information brings its own additional obligations. Health policy, practices and implementation has progressed at an unprecedented pace due to COVID-19. The tumultuous leading edge of Health information privacy remains difficult to keep up with and the benefits of having a stable ‘best practice’ approach can be both cost efficient and risk reducing, while still enabling appropriate responses to evolving situations.
So, what should you be aware of? What are the risk and priorities?
Here are a few of the current key risks and issues that you should consider for the integration of privacy in your business.
Privacy laws are changing
Privacy laws within Australia, and worldwide, are changing. European GDPR laws do affect Australian businesses. Government Agencies are being increasingly held to account. There is a continued strong focus on information privacy and security across Australian Federal and State Governments. Policies such as Information custodianship, data sovereigntyopen government, and cloud, all shape our business interactions while new interpretations and priorities address more immediate concerns such as COVID-19. This continued trend has the potential to impact many aspects of any business and its legal compliance through operational systems, practices and policies, and governance. It is necessary for business management and information custodians to remain knowledgeable and compliant with the increasing array of legislation and obligations.
Mandatory Data Breach notification is here
Any business or Government Agency that is covered by the Privacy Act 1988 is also affected by Notifiable Data Breaches Scheme. Under this scheme any organisation that is involved in a data breach that may cause harm to those whose information has been released must notify the individuals impacted as well as the Office of the Australian Information Commissioner (OAIC). ‘Harm’ in this case is a broad term considered anything that could cause serious physical, psychological, emotional, financial, or reputable harm. The main takeaway here is that harmful data breaches can impact anyone, and all it takes is an incorrectly sent email, or a lost laptop. You should know what information you have, where it is. How and when you would respond to a breach should not be left to after the fact.
European General Data Protection Regulation (GDPR) does apply
The GDPR is the data privacy regulation in effect in the European Union. Interestingly GDPR law applies to any business, regardless of where they are in the world, as GDPR is based on the person-centric approach to personal information where individuals own and expect full control over their personal data, who they share it with, and with the ability to take back sharing privileges at any time. Any business, ostensibly worldwide, that manages and processes personal data of an individual who is based in the EU falls under the GDPR. With most businesses now operating online and customers travelling and living flexibly (at least prior to COVID-19) there is a good chance that a present, or future, one of your customers will enter an EU address. Fortunately, Australian privacy law requirements largely align with GDPR requirements, although there are some notable exceptions. You should know when GDPR risks are real, how you should respond and what the hype of fines worth hundreds of millions of Euros is about.
Outsourcing does not remove responsibility
Outsourcing remains a justifiable business approach and can provide definite competitive advantages. However, when it comes to personal information and privacy, outsourcing may add another layer of complexity to your privacy risk management. Contractual obligations should include privacy requirements that at least match those of your business, which should then be reported against and confirmed. Changes to data storage methods, location, access, or routes should be known to you. But risk cannot be fully abrogated, and the business and its directors will remain responsible and held accountable. You should promote review of change and awareness of subsequent privacy risks as well as privacy enhancing outcomes.
Insurance may not cover
To mitigate the risk/cost of occurrences such as a data breach your business may hold Cyber Security, Professional Indemnity, or other specific Insurance. Those insurance companies will expect, and often contractually mandate, that policy holders do not place themselves in unnecessary risk of claimable events. This can be simply demonstrated through compliance with legislated or best practice, even if it it’s not mandated upon your business it should remain valid practice to guide your approaches. Similarly, limitations are often placed on damage claims with many based on recovering from risk adverse good practices, not risk denying poor practices. You should remain aware of special insurance inclusions/exclusion and see this yet another reason to align with ‘best practice’, even if it is not mandatory for your business.
Privacy by Design is a simple idea
Every successful organisation undergoes change and accepts the costs and risks to achieve the benefits. As one of the newer, growing areas of potential business concern privacy of personal information is often considered separately, to ensure new systems, process or services comply with obligations. This can lead to the useful finding that a new system does not meet obligations. As with many best practices privacy works best when integrated with the business, not attached afterwards. Privacy by design is the term to use, it embeds good privacy practices into the design of systems and processes and helps to manage privacy risks more simply, proactively and cost effectively.
So, let us consider the potential implications of a major privacy breach. Any breach will lead to significant damages to the offending company. A breach of the Australian Privacy Act 1988 carries a maximum penalty being the greater of $10 million AUD or 10% of Australian Annual Revenue, and the GDPR carries the same high penalty. On top of the risk is the inevitable reputable damage that will follow, which could cost the company in revenue down the line.
All this considered, it is always worth remembering that the responsibility in reporting and managing breaches lies with the Director of the business. Not only are they legally liable but as the Director of the organisation there is a personal responsibility in not only risk of breaching the Privacy Act – accidental or otherwise – but also minimising the damages, both towards the company and individuals affected, that might come as a result.
Privacy and the management of personal information is deserving of attention and can be simple to address and resolve. Being able to confidently know what the actual risks and priorities are within your specific business allows them to be appropriately discussed, allocated and managed, which then best allows your business to continue efficiently and successfully.
By Rob Turner who possesses wide-ranging skills, experience and understanding in information and communication management, program management, business analysis and the integration of business and technology. Rob is a true expert and increasingly called upon to provide practical innovation, implementation and (re) union between business, technology and people.