As part of the Centre for Digital Enterprise’s quest for continuous improvement, we collected feedback from those who attended our metropolitan workshop in February – Digital disruption and your workforce: From here to where? One of the comments we received as part of this process was that the presentations did not touch on the privacy issues that can go along with a digital transformation journey.
While we like to focus on the positive impacts of new technology implementation on business operations, this comment is a good reminder that there are also many challenges. One of these is undoubtedly trying to navigate complex data privacy regulations as you move your operations online.
In this digital and interconnected era, businesses are increasingly transacting directly with consumers, which means they are collecting a growing amount of personal data. Digitising operations gives businesses access to data analytics that can help them discover new insights about their customers and behaviours automatically, without having to ask explicit questions1. This data is then being stored on the cloud where it’s vulnerable to cyberattacks from criminals who are looking to convert data into money through either ransomware that holds data for ransom, identity theft or selling files on the black market.
As a result, data breaches are becoming more common, with 24 publicly disclosed data breaches in Australia in the first half of 2018, putting us fifth for worldwide data breaches2. Australia also ranked fifth for the number of exposed records by country, with an average of 834,833 exposed records per breach3.
For businesses, this isn’t just bad for publicity and customer trust, it can also have significant financial impacts as companies can be held liable for these breaches.
Further complicating matters is the fact that few business leaders properly understand what constitutes a data breach. Most assume it relates to a cyberattack, but it can also include sensitive information being read by a stranger as an employee works from a laptop in a public space4.
Therefore, while many businesses have made data security a key business concern, they haven’t coupled this with policies and procedures relating to data privacy.
While data security is about securing data against unauthorised access, data privacy is about the proper handling of data, including consent, notice and regulatory obligations5. Data security is therefore a technical issue whereas data privacy is a legal one6.
This makes it a particularly complex issue, bringing ethics into an area that until recently was seen as a matter for IT. This shift has been driven in large part by the introduction of the General Data Protection Regulation (GDPR) by the European Union (EU). The GDPR privacy laws have been referred to as ‘game-changing’ and ‘revolutionary’ because they assume privacy as a fundamental human right that companies have a responsibility to protect7. It has broadened the data considered private and given European citizens stronger legal rights to sue over alleged privacy violations8. Australia is also moving in this direction with the introduction of the Consumer Data Right (CDR), which was announced in November 2017 and will come into force from 1 July 20199. The implementation is being rolled out in waves, with banking the first industry to be subject to the CDR, followed by the energy and telecommunications sectors, and then potentially others. The CDR aims to give more control to consumers over data held about them and includes more privacy and data sharing obligations for businesses, including additional penalties for breaches10. The definition of consumers has been expanded to cover small, medium and large businesses, extending privacy protection to all businesses regardless of size, while also expanding the range of organisations that will be forced to meet privacy obligations11.
These obligations are in addition to the privacy obligations businesses are already subject to under the Notifiable Data Breaches scheme introduced in 2018. This scheme means all organisations and agencies with existing personal information security obligations under the Privacy Act 1988 are required to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm12. In the first six weeks of the scheme, 63 notifications were made13.
Since data privacy is a legal issue, with financial penalties for non-compliance, businesses should seek legal advice when drafting data privacy policies and procedures. At a minimum, these documents should outline how your business collects data, what you use it for and how you’re protecting it.
The Department of Industry, Innovation and Science has some good resources on its website for those looking to get started, including a rights and responsibilities document and a privacy checklist for small business.
One of the biggest challenges businesses will face during this time of digital disruption will be in building trust among clients as an organisation that protects privacy while also providing a seamless online experience. The best way to do this is to go above simply complying with data privacy laws and implement clear transparency policies for data management that give clients a view of how their data is being used.
As consumers become more aware of the value of their data, a competitive advantage is opening for businesses that promise, and prove, privacy.
Author: Adelle King
1 Wilson, S 2018, 'Big Privacy: The data privacy compact for the era of big data and AI', ZDNet, viewed 2 May, <https://www.zdnet.com/article/big-privacy-the-data-privacy-compact-for-the-era-of-big-data-and-ai/>.
2 RiskBased Security 2018, Data Breach QuickView Report: Mid-year 2018 Data Breach Trends.
4 Hendy, N 2018, 'Data security: What small business owners need to know', The Sydney Morning Herald, viewed 2 May, <https://www.smh.com.au/business/small-business/data-security-what-small-business-owners-need-to-know-20180919-p504sp.html>.
7 Levick, R 2018, 'The GDPR Revolution: What Smart Companies Should be Doing to Get Ready', Forbes, viewed 2 May, <https://www.forbes.com/sites/richardlevick/2018/05/23/the-gdpr-revolution-what-smart-companies-should-be-doing-to-get-ready/#1b35436f440c>.
9 Australian Competition and Consumer Commission 2018, Consumer data right (CDR), Government of Australia <https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0>.
10 2018, 'Australian Consumer Data Right law: What you need to know', Dentons, viewed 2 May,<https://www.dentons.com/en/insights/alerts/2018/december/14/australian-consumer-data-right-law-what-you-need-to-know>.
11 Ringrose, E 2018, 'Does Australia need two privacy regimes? The Consumer Data Right', Ringrose | Siganto, viewed 2 May, <http://www.ringrosesiganto.com.au/resources/consumer_data_right/>.
12 Office of the Australian Information Commissioner 2017, Notifiable Data Breaches scheme Government of Australia, <https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme>.
13 Dickson, G 2018, 'GDPR and data privacy in Australia', Right Now, viewed 2 May, <http://rightnow.org.au/opinion-3/gdpr-data-privacy-australia/>.
You might like
Cyber-security in the age of connectivity
Article – 4min read
In the interconnected era of industry 4.0, where smart devices are used to virtually control critical infrastructure in a growing number of industries, businesses are facing unprecedented cyber risks. We look at what these risks are and how businesses can protect themselves.
Digital skills and the smart office
Article – 4mins 30secs read
Australia is trailing behind its global counterparts in digital skills at a time when these capabilities are becoming increasingly important as businesses transition to smart offices. We look at how RMIT’s simulated Digital Office is helping students build these skills and prepare them for the future of work.
Technology coming to our assistance
Article – 4min read
Voice-activated digital assistants like Samantha from Her might not be as far away as you think, and soon they might even be implemented into your workplace to optimise business performance.