Australia Moves Closer to GDPR-Like Privacy Laws – Challenges for Australian Businesses

The Australian Government published its response to the Privacy Act Review Report in September 2023 agreeing to 38 proposals, “agrees in principle” to 68 proposals (i.e. further consultation required to understand impact and alignment with other reviews like Digital ID, and the Australian Cyber Security Strategy before implementation), and notes the remaining 10.

Privacy Act Review Report Response has 5 key themes for organisations to consider:

1. Bring the Privacy Act into the digital age
2. Uplift protections
3. Increase clarity and simplicity for entities and individuals
4. Improve controls and transparency for individuals over their personal information
5. Strengthen enforcement

Though this may not be widely understood and a number of businesses may have conducted an assessment, there is not widespread implementation of technologies and capabilities for businesses to be in a position to comply once the changes come into law. Additionally, there is a limited number of experienced data protection or chief privacy officers relevant in implementing technology, and consultancy and advisory teams from firms in Australia are already stretched to help businesses meet the requirements.

This opinion piece is focused less on what is changing from a framework and consultative approach, it is more focused on the practical steps to implement technology to meet a legal compliance perspective.

Some of the Key New Requirements for Businesses likely to arrive with new Privacy Regulation:

• Definition and types of personal data
• Scope and applicability
• Rights of personal data subjects
• Controller and processor of personal data
• Lawful grounds for processing personal data
• Data protection officer and impact assessment
• Requirements for cross-border personal data transfer
• Sanctions

Understanding these requirements as they relate to the implementation of technology is important, as to meet the requirements of the Privacy Regulations in other countries, some technologies will need earlier implementation than others. In some cases, a phased approach will be required to effectively deploy capabilities in a parallel manner to adjust for technologies with prerequisites or those that have a longer lead time for implementation. Experience has demonstrated that three (3) streams of work are usually required for a successful implementation of Technologies to help organisations meet their compliance requirements.

Three Key Streams

• DISCOVER Classify and Understand Sensitivity
• STREAMLINE & AUTOMATE Privacy Processes
• COMPLY Consent and Incident Management

DISCOVER Classify and Understand Sensitivity

• This has implications above and beyond the privacy needs. Understanding what personal and sensitive data is held, where it is stored, how it is used in applications and processes, and why it is still held has implications for Risk, Security, Governance, and Compliance teams.
• Why is the Data still held? Are there duplicates, or are there multiple versions? These points have implications:
  • Information Protection – as to how this information is stored and protected?
  • Governance ­– why it is still being held, and the quality of the data? Risk around why there is a need to hold this information: can reducing holding reduce risk?
  • Compliance – are we meeting all the regulatory requirements around sensitive and personal data?
  • Privacy – can we manage Data Subject Requests (DSRs) and Breach Management and notification requirements under the PDP Law?
• Data Discovery is not enough, you need to apply sensitive data intelligence and automatically orchestrate appropriate actions to data!

STREAMLINE & AUTOMATE Privacy Processes

• Building on the data intelligence created during the discovery phase, data subject access requests can now be automated to meet the requirements of the PDP Law. Requests can be collected, authorised, and processed to meet the 72-hour response timeline.
• You need to understand what applications and processes are using personal data and ensure any orphan data is managed appropriately. This requires the creation of data maps and records of processing. By linking these applications and processes to the asset holding and processing that data can provide near real-time compliance and accurate tracking of any variations to the Privacy Impact Assessments (PIA) associated with the applications of processes.
• Collaboration across the organisation will be required for Data Privacy Impact Assessments (DPIA), and automation will be required to scale across the business to meet the requirements of mapping all applications and processes. Additionally, the risks determined during this will need to be exposed and addressed. This will require automation and risk visualisation in an actionable dashboard so the prioritisation of risk reduction can be managed.
• Cross-border transfers need to be managed and understood. This includes controlled and uncontrolled data stores managed by third parties. This type and sensitivity of this information needs to be understood, monitored, and managed according to regulations.

COMPLY Consent and Incident Management

• Any incident, no matter how small, will be required to be tracked and assessed according to the regulation. This will require collaboration and assessments to be collected in a timely manner and the risks measured to determine reporting obligations.
• You will need to ensure that consent from the Data Subject is collected and maintained forever. This means any updates or changes are also managed, taking into account the requirements, to ensure this consent can be reported upon for data subject access requests.

Lessons from Other Geographies

Along with the emergence of Modern Privacy regulations based on similar principles to GDPR, we are experiencing countries morphing these regulations into Data Protection and Privacy, including Sensitive Data.

Organisations are also encountering Data Sovereignty Laws as well as banking regulations around PII and Metadata that require audit and compliance at the cloud scale.

Key Points

1. Globally, Modern Privacy Regulation is morphing into Data Privacy Regulation.
2. Technology is being developed and adopted to help organisations manage these regulations at scale and, where possible, autonomously.
3. An overlap of roles and responsibilities across Policy, Classification, and Protection is occurring, and the adoption of cloud and multi-cloud is accelerating this.

Key Insights

Multiple parts of the business are looking to solve similar use cases

This is resulting in time and cost impacts to the business, as often multiple vendors are being assessed, and solution overlap is often significant, significantly impacting contracting and operating costs.

Impending regulation enforcement is fast approaching

It takes the business significant time to assess, select, implement, and operationalise a solution. This is putting the business at compliance risk and potential brand impact compared to competitors who have taken earlier steps to meet their obligations to Consumers and Regulators. Often, the business is not ready to embrace the organisational program of work and have appropriate budgets in place to implement and operationalize a privacy program.

Organisational alignment is critical

Typically, we find in businesses the following stakeholder teams to deliver successful programs; please note the use of the term program versus project as a Privacy Program is ongoing and needs to be built and funded accordingly:

• Chief Data Officer or Head of Data Governance
  • The CDO works with the business owners to define the classification of and policy around business data, including sensitive data.

• Chief Information Security Officer or Head of Information Security and Risk
  • The CISO/CSO operates the technology to implement the protective controls and mitigations.

• Data Protection Officer or Chief Privacy Officer
  • The DPO/CPO is guided by the applicable regulations for the geographies the business operates.

• Legal Team
  • The legal team will be responsible for providing guidance to adherence to regulatory requirements and reporting obligations.

Conclusion

• Action is required to organisationally align via a cross-functional task force.
  • The task force should determine priority steps to achieve compliance by October, potentially with a minimum viable product approach, and
  • The task force should develop a range of Business Pro.
• Engage peers in other organisations who are already on the journey to understand best practices and learnings.
• Engage advisory and technology integration partners with the potential experience and skills to augment internal resources.
• Engage technology vendors with expertise and experience, as timely engagement and implementation will be required.
• Align technology with the regulation, adapt to the business processes defined by the task force, and build a plan based on the maximum level of compliance by October 2024.