The Australian Data Privacy Landscape
August 15, 2023
Australian businesses are facing an increasingly complex data environment. More than ever, organisations must adjust to new online systems, new vendor relationship standards, increased regulatory powers, and the implementation of new laws. At FTI Consulting, we are experiencing a higher demand for advisory services in privacy compliance, with clients wanting to understand what the new privacy laws are and how they can implement controls to abide by them. Tim de Sousa explores this in our video series on how organisations can manage their data privacy.
Video 1 – The Age of the Data Breach
One of the most significant issues facing Australian organisations today is the growing incidences of data breaches. We have increasing malicious attackers; they are using more sophisticated techniques and technologies, and we are seeing more state-sponsored attacks.
As these attacks become more frequent and severe, this heightens the importance of managing your data risk:
- Understand where your key data assets are
- Ensure your data is adequately protected
- Hold only the minimum amount of personal, confidential or sensitive information needed to run your business.
If you have less to lose, the impacts of the breach will be less severe.
Even if you think your security is good enough and you will never suffer a breach, it is a reality of modern business that data breaches will occur. We are in a constant battle against attackers to stop them from getting in, but failures will happen, so it is important to fail well. Have a robust breach response plan that you can implement quickly and effectively to minimise the impacts of a data breach or security incident.
Video 2 – Minimise Data, Minimise Risk
As of November 2022, Australia has some of the world's most severe penalties for privacy breaches. As we go through the tail end of the privacy law reform process, we will see additional obligations and regulatory powers enforcing those obligations. Now is the time to ensure that how your organisation handles personal information is mature and meets best practice. This approach should be end-to-end, covering how you:
- Initially collect or create personal information
- Store, secure, use or disclose that information
- Archive and destroy or de-identify the data when you no longer need it.
A key principle in that data life cycle is data minimisation:
- Collect the minimum amount of personal information you need to do your work
- Hold only the minimal amount of personal information as required by law or where you still need it to run your operations.
By minimising your data, you can help minimise your data risk and costs in the future.
Video 3 – Safely Deploying New Technologies to Protect Privacy
Artificial intelligence, machine learning, and automated decision-making: all major technology issues organisations should be aware of today. There is much discussion about how these technologies will change modern business. But, like all technologies, they come with risks – especially around data privacy.
Technologies are tools that must be used correctly and appropriately to be safe and effective. The same applies to AI machine learning. For example, when using automated decision-making, make sure those decisions are understandable and explainable. Otherwise, how do you know if the machine is making the decision correctly?
Organisations must be cautious in applying these new technologies and consider how to deploy them safely and ethically. Make those considerations at the design stage. If you are bringing in privacy-by-design experts or ethicists, do it early and do it often to protect privacy at your organisation from the outset.
Video 4 – Best Practice for Local and Global Privacy Compliance
The key issue affecting clients today, at least in the field of data risk, is the evolving privacy compliance environment.
New privacy laws are being implemented globally and here in Australia we are near the tail end of a privacy reform that will change the compliance landscape. For clients operating globally in multiple jurisdictions, this presents a myriad of compliance obligations, so there are challenges in ensuring global operations meet local requirements.
Organisations don't have to know exactly their obligation when dealing with multiple regulatory regimes and significant regulatory changes. Many privacy laws have a common foundation, and they are based on what privacy best practice is throughout the data lifecycle. So, companies can design internal compliance mechanisms and controls around what that best practice will be. When new obligations come into force, you can then tweak your compliance regime to ensure that you will comply, not just locally but globally.