Why Australian organisations should aim higher on privacy

When the Government revised the Privacy Act at the end of last year, additional reforms were flagged. But according to Glyn Geoghegan, Security and Compliance Director at Devicie, there are now many reasons for Australian organisations to ‘go above and beyond’ the current set of privacy rules.

The new level of transparency in the world of privacy follows the release of a long-awaited review of the Act that contains 116 proposals. While these remain proposals – and there are concerns at the extent to which they might be adopted, let alone implemented – the intent to observers is clear.

The proposals point to a likely harmonisation of Australia’s laws with more forward-thinking international standards, notably the EU and UK’s General Data Protection Regulation (GDPR). Despite being considered a future direction of Australian privacy rules for some time now, it has taken a while to gain momentum and a critical mass of backers.

Not all Australian organisations are waiting for a local version of GDPR to be enshrined into law before trying to meet GDPR-like standards themselves.

GDPR is often seen as a “gold standard” for data protection regulation. For that reason, it has become an attractive bar for Australian organisations to try and meet — even if they have no direct exposure to the EU (although the net is cast fairly wide).

Organisations that proactively adhere to GDPR standards are likely to develop a significant head start on compliance, preparedness, and mindset, should similar laws be enacted locally.

But there are also other reasons to do this: it’s demonstrable proof the organisation takes privacy and data security seriously. At a time of heightened awareness of data privacy, following a series of high-profile breaches and leaks, organisations need to be able to offer some reassurance they’re taking the situation seriously.

Voluntary GDPR compliance is emerging as one way of doing that.

Lived experience

Devicie has joined a growing cohort of Australian organisations adopting a proactive stance to meeting growing global privacy expectations, electing to build the processes and policies to achieve compliance with the GDPR. While it was not a trivial exercise, with the right assistance, it’s possible for other Australian organisations to achieve the same.

For those thinking of going down this path, there are a few things to consider.

First, organisations need to routinely use templates or software to help document how and where data is handled, processed, and stored.  This will assist in assessing how the requirements of GDPR can be complied with throughout the business. In our case, we engaged a law firm with GDPR specialisation who provided structured documentation that formed the baseline for further iterations of our journey to compliance.

This was important because it helped lower the intimidation barrier. GDPR, as a whole, can look daunting or unachievable, but a template can greatly assist in breaking up the compliance journey into smaller, executable pieces. For a relatively small amount of work, organisations can get the core pieces in place to have a plausible GDPR compliance program, including how security and data controls map to key compliance requirements.

The other aspect to this is that working through GDPR compliance is nowhere near as difficult, draconian, or expensive as dealing with a post-incident clean-up or ensuing legal action. If a data leak or breach is serious enough, these consequences can become very real.

The second thing to consider is that the barriers to compliance may not be as high as you think. Many Australian organisations aren’t starting from scratch. While the existing Privacy Act may not mirror GDPR, compliance with the current legislation gives organisations strong foundations to build on.

For organisations not yet subject to the Privacy Act – which includes most small businesses – now is a good time to voluntarily work towards meeting those standards at a minimum. Any preparedness in this space will go a long way.

It’s often easier to engineer a control framework and achieve compliance as a smaller-sized organisation. If we’d grown to the size we are now before attempting this, it would have been exponentially more complex. I’d envisage it would be far more complicated to build a privacy and compliance framework for a larger company suddenly realising they needed it.

Having to find a framework that fits and builds out a suitable plan or program that passed muster with external validation would be far more onerous. For privacy-forward organisations, the message is clear: start small, start early, but start now.

In our own case, we know we can meet the GDPR timeframes for action. We also know if anyone asks, we can point to our journey as proof of our approach to data protection and privacy: we’ve gone through the process, put people in place, this is what we designed, and we will continually be working to refine and improve it.

Clients can take assurance from that that we take data protection seriously, and we’re assured that however the Privacy Act evolves, we’re ready to take those changes in our stride.