Ever paused to wonder just how far your personal data gets shared, where it turns up, who is using it and for what purposes?
Data Privacy is as much a consumer quandary as it is a business concern. Regulators have been steadily modifying Australia’s Data Privacy Laws at the Federal level and the State Level since they came into effect in 1988. Australians will see further legislation passed down in the coming months and years as Australia modifies current policies as well as adopts elements of California’s rollout of CCPA (California Consumer Privacy Act – Jan 2020) and Europe’s experiences of their information privacy protection policies in GDPR (General Data Protection Regulation – May 2018). Instead of adopting GDPR’s big-bang approach, Australia will roll out new Consumer Data Rights (CDR) by industry sector having already commenced with the Banking sector (July 2020) then Energy sector (Nov 2022) and soon thereafter with the Telecommunications sector. A new sector will be assessed and designated every year.
Business leaders need to build strategies to meet with regulatory compliance and managing information privacy strategies are no exception. At the same time, businesses need to build trust with their consumers to not only illustrate their compliance to regulations but also prove that their data is in safe hands and won’t be exploited beyond any consents provided.
If that sounds hard to do, let alone stay compliant (especially to ever changing acts and legislation), that’s because it can be. But it needn’t be stressful if you have the right cross-functional business cooperation, the right executive support, and the right solution partner.
The right solution partner should be by your side to guide you through:
- Readiness in how to set your business up for privacy compliance and automation success with a privacy management solution
- The relevant acts and legislation that your business needs to consider now and into the future
- The set up of a quality data foundation through mapping of your internal and cloud-based data stores, your data sharing vendors and partners and any other attributes to how and where you store personal information
- Self-assessments to allow your organisation to assess compliance at any point in time
- Scale up of further automation as your business grows or as regulations change
So, how do you evaluate and choose the right privacy management solution? For starters, it doesn’t matter your size or privacy program maturity as we’ll show you key requirements for consideration. Where you choose to start is up to you, but we’ll provide some suggestions in the below.
- Assessments
Whether you are new to privacy management, or your organisation has this well-defined, assessments are a great starting position to review your business practices and the regulations that come under your trading and client profiles. Through assessments, you can grade your adherence to legislation and your own internal policies allowing for appropriate process improvements should they be required. As legislation changes or your internal policies change, you should update your assessments accordingly and run them again.
The right privacy management solution should cater for assessments to be created against external criteria (legislation and acts) and internal policies with ease of set up, modification and execution. The right solution partner should assist you in the initial set up of your assessments. From there on, self-assessment should be easily executed from within your organisation.
- Where’s My Data
As a consumer, when we sign up to a product or service (typically through a company’s website) we’re giving consent to that organisation to know our personal data; to know our shopping preferences, our communication preferences, our financial/payment preferences and so on.
But have you ever given thought to where your data is stored?
Most likely not as we assume the organisation keeps all our data in one place associated with our membership or our on-line purchases. The truth is far from that, and the answer is that our personal data is stored everywhere – from internal systems to cloud-based storage repositories to SaaS applications and then anywhere through the supply chain that is required to know that information to meet our order requests.
With so much data in so many places it can be hard to locate exactly where all the personal data resides. Some companies employ Data Privacy teams to try and keep track of all this data but in reality, they lose sight of data locations quickly as businesses grow, new systems come online, and old systems are migrated and retired. Knowing this information is critical. Companies with unaccounted personal data are at higher risk of being non-compliant to legislation requirements, risk of penalties and susceptible to data breaches and ransomware attacks. Knowing this information is also the key to success of a privacy program and hence the successful operation of a privacy management solution.
The right privacy management solution should understand where personal data resides (whether that be held in structured or unstructured data stores) and map your data sources even if they are outside of your organisation; be that cloud-based storage repositories, SaaS solutions or the data systems held by external business partners, vendors, marketing companies or supply-chain participants that you share personal data.
- Automate, but keep Brand and Trust in mind
The right privacy management solution needs to provide for automation from the beginning of a consumer request right through to the fulfillment of that request. That experience by the consumer needs to meet with the same experience of dealing with your organisation for the supply of goods or services. Even if the consumer’s request is a right to be forgotten (Delete My Data), you need to ensure the process is complete, timely and allows the consumer to be properly authenticated before they part-ways from your brand; all with positive sentiment. Automated experiences are good, but they also need to allow for appropriate reviews, checks and balances.
As new privacy regulations appear, its simply no longer sustainable to rely on manual processes as they are costly, disrupt daily operations and create risks of non-conformance. Within larger organisations, a recent cost of compliance report found that up to 26 employees can touch a data subject access request (DSAR) increasing the risk of human error thus potentially damaging your brand and trust with consumers.
Getting the balance right between full automation, a rich user experience, positive brand sentiment and completeness of DSAR is specific to each organisation so the right privacy management solution should allow you to tailor these attributes in a highly customisable platform. Such solution should automate repeatable processes whilst allowing your organisation to add the right controls, escalations, reviews and approvals; and whilst providing a rewarding and trustful user experience that starts with securely validating the consumer’s identity and ends with complete confirmation of their request (including providing privacy data elements (either masked, redacted or as real data) if such is requested by a ‘Data Access Request’).
- Would you like a Cookie with that
A fundamental of Privacy By Design is empowerment of consumers in how they wish to interact with your organisation. The right privacy management solution should enable companies to build trust amongst their consumers by offering them flexible tools that give full control over consent and communication preferences. Consumers should be able to access customisable web pages that allow them to manage their data/opt-in preferences which can be passed along all brands, departments and data sources throughout your organisation. Cookie Consent is an important aspect of any privacy program and privacy management solutions should allow the ease of setup and management of cookies under a Privacy Centre Console accessible to all consumers.
- Deploy for today knowing there will be changes tomorrow
Australia’s Federal Privacy Act was deployed in 1988, GDPR went into effect in 2018, California’s CCPA was launched in 2020 and now Australia’s CDR Acts will deploy by industry on a near-annual basis going forward. CCPA’s extension, the CPRA will cater for employee requests and business contacts from 2023 and it is likely such legislation will come to Australia in the next 1-2 years. With massive regulations emerging every few years, privacy is not a set and forget approach.
The right privacy management solution needs to work with you and scale with you both in terms of the external changes (regulations) as well as changes within your growing business. You need a solution that scales in size, that caters for changes in your data landscape, that allows for rapid self-assessments to keep you compliant and that has the right solution partner by your side. And all of this with known and predictable outcomes and costs so you can continue to run your business whilst the privacy management solution keeps you on track for privacy compliance.
Key Take outs of Privacy Management Solution
When choosing the right privacy management solution, there are several things to consider including your company size and your privacy program maturity. Large and complex organisations should prioritise a solution that can help compile a strong data map helping to locate their vast volumes of personal information while newer organisations should start small, link to a few of their known data sources and spend time promoting their privacy management solution to their consumers as an opportunity to promote brand and trust. Choice of the right solution partner is critical for early success with your privacy program and on-going success to cater for future changes in regulations.
For further details or to discuss how DataBench can help you on your privacy program journey go to www.databench.com.au and click on ‘Get In Touch’.