As high-profile organisations deal with public scrutiny from recent data breaches, the breadth of the data they held has also been exposed.
The breaches revealed driver’s licence and passport numbers, information about customers who had been inactive for years, and even frequent flyer points — troves of personal and sensitive data points with limited use for daily operations.
After updated privacy legislation amendments sailed through Parliament, it is now imperative that boards and business leaders question why they collect and store the data that they do.
Businesses don’t own the data they collect. They are custodians of other people’s information — a point reinforced by the amendments to the Australian Privacy Act.
Updates to the act draw on principles from the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018.
This coincided with growing consumer awareness about their own personal information and how it is used. GDPR dragged businesses into a world where there were extreme risks for non-compliance, even if the business was based outside Europe but was dealing with European individuals.
The new Australian amendments reflect this serious approach and may even go further.
For serious or repeated privacy interferences, the maximum penalty in Australia would now be the greater of $50 million, three times the value of the benefit obtained attributable to the breach or 30% of adjusted turnover during the breach turnover period.
But importantly, the updated laws will apply to any organisation that does business in Australia, even if they do not collect or hold information in Australia — think a digital giant storing personal information in a US server.
Businesses held accountable
The tougher penalties reflect a shift towards demanding accountability for the data that is collected and stored.
For business, that accountability starts with a two-pronged question: what data does the organisation hold and why do we collect it?
Collecting reams of personal data such as names, addresses, email details and transaction dates from customers might be necessary for doing business. Less obvious is the need to store sensitive information such as passport details, mobile phone and Medicare numbers for long periods.
Some explanations are straightforward — names and addresses are necessary to ensure the delivery of goods, for example.
But when businesses gather sensitive information like gender, frequent flyer points or driver’s licence numbers, that clarity starts to fade.
Data that is essential to doing business should be clearly documented and defendable.
Having determined what information is necessary, good data governance is the next step, which means knowing where it is kept and who has access to it.
Consider a retail business with a composable technology structure.
It might have one software application for customer interactions that stores personal names, postal addresses and emails, another for marketing campaigns, and a third for loyalty programs.
Do you know every place where the data is held?
Not knowing where it is stored and what it is being used for elevates the accountability risk.
Governance is also necessary for ending the custodianship of the data because neither GDPR rules nor Australia’s Privacy Act is prescriptive on how long data can be stored for.
Organisations are likely going to determine the period of their accountability, and this will vary by sector, customer expectations and what the organisation itself deems acceptable.
In the recent high-profile data breaches, people who were no longer customers had their data exposed, and demanded to know why it was necessary for this material to have been retained.
If it’s been 12 months since a purchase, is it justifiable to still call someone a customer? Defining a tenure over data should form part of the terms and conditions of a business transaction.
We’ve rarely needed to consider questions over data and privacy until relatively recently. And if we did, it was likely focused on the wants of the business collecting that data, and not aligned with what is in the best interest of the true owner of the data — the customer.
Privacy legislation should allow people to maintain ownership over the information that they choose to share.
An organisation doesn’t own the data but it is wholly responsible for that which it holds.
Terrence Teh is a client director at Pitcher Partners Melbourne and a digital strategy specialist.
ABOUT THE AUTHOR
Handpicked for you
Data trends: Adatree co-founder Jill Berry on what to expect in 2023
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.