Clients often see privacy as something that is just another regulatory obligation, another box they have to tick so that they “comply”. A bunch of high minded statements of intent that might be needed if there is a breach (and “that will never happen to us anyway”).
Privacy is becoming more complex, not less, especially given the international nature of many businesses. Australian businesses need to consider that a number of US States are now implementing privacy legislation, the Schrems II case (Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems) has required a review of any data flows between the EU and Australia and the UK’s post-Brexit version of the GDPR is in a state of constant flux.
The Office of the Australian Information Commissioner (the OAIC) has put together 10 tips to help businesses keep personal information safe:
- Know Your Obligations – make sure you know your current privacy obligations, and what they are as your business evolves.
- Have a privacy plan – put a plan in place for your privacy obligations to promote a culture of privacy awareness.
- Appoint privacy champions – appoint specific staff to be responsible for privacy… and promote this from the top.
- Assess privacy risks – build privacy risk and impact assessments into your projects, especially new ones.
- Privacy by design – review the personal information you keep and collect and make sure it’s only information reasonably necessary to carry out your business activities.
- Secure personal information – make sure you have secure systems in place to protect personal information.
- Train your staff – give staff real life, practical examples of how to protect personal information and provide refresher training regularly.
- Prepare for data breaches – have a clear Data Breach Response Plan implemented so that you can respond to any breaches quickly and effectively.
- Review your practices – be proactive, review your privacy documentation and procedures regularly… and be ready for privacy reform!
Over the years we have drafted and advised clients on many Privacy related issues, from privacy policies, privacy procedures, staff training, data breach response plans, dealing with the OAIC and complying with the GDPR.
The privacy regime is currently undergoing a comprehensive review and big changes are coming, with substantial penalties for companies and individuals for breaches. But one of the biggest penalties for a business is the damage to reputation in a data breach, as well as the loss of trust by customers.
There has never been a better time for getting back to basics, the future of your business could very well depend on it.