As governments around the world re-evaluate their privacy regimes, an emerging issue for every CIO is changes to data privacy regulation. These changes are forcing CIOs to review their privacy practices and, in some cases, trigger complete overhauls of business processes.
But one of the greatest dangers to data privacy has nothing to do with technology, and everything to do with culture.
Until now, Australian businesses have had the luxury of operating exclusively under Australian data privacy regulations, unless they had some physical presence overseas. The latest data privacy law to come out of Europe, the General Data Protection Regulation (GDPR), has the potential to change all this.
The great hurdle for Australian companies is the Australian cultural lens they cast over the GDPR. By ignoring, or not appreciating the deep-seated importance of data privacy to Europeans, businesses expose themselves to unprecedented levels of financial and commercial risk.
Attitudes towards privacy: Australia vs Europe
Culture is a strong driver of national privacy regulations in Australia, as is the case around the world. But compared to other parts, Australia has long had a very relaxed approach to data privacy (and privacy more generally).
In parliament, data privacy has bipartisan support. Everyone generally agrees that it is important – there is just not a lot of urgency in implementing it. For instance, it was not until 1988 that we had our first national privacy law. Even then, the law was only introduced following public concerns around the way the Federal Government handled citizen data in their failed attempt to introduce a national identity scheme, the ‘Australia Card’.
More recently, the introduction of a mandatory data breach reporting scheme was an almost decade-long journey between the Australian Law Reform Commission’s report recommending mandatory data breach reporting, to its passage into legislation earlier this year.
In stark contrast, the importance of data privacy is deeply engrained in European culture. Through the early part of the twentieth century, Europeans saw first hand the impact of widespread data privacy violations by dictatorial regimes. As a result, in the wake of World War II, they unanimously declared privacy (including data privacy) to be a fundamental human right and have since actively fought to protect that right.
European regulators have long taken a particularly dim view of companies that do not take privacy seriously. But the task of fortifying privacy has become more difficult in the internet age, where vast volumes of citizen information is now held by foreign companies and in repositories across the globe.
It is through this lens that the GDPR was conceived.
The GDPR in Australia
For Australian businesses, the introduction of the GDPR presents an obvious question: “Why should I care about privacy changes in Europe?”
As it stands, a huge number of Australian companies are already interacting with EU entities, with the EU being Australia’s largest source of foreign investment and second largest trading partner (Department of Foreign Affairs and Trade). There are even more that work with EU-based companies or participate in extended data supply chains that have access to EU personal data.
With data privacy considered a fundamental human right, the GDPR’s key premise is that the privacy of the data’s owner cannot be violated, even if this data is being taken outside of the EU. In short, the GDPR seeks to protect data no matter where it resides in the world. It does not matter how you get access to it, or what you are doing with it, if your business has access to EU personal data, the GDPR will apply to you.
Significantly, the GDPR demands compliance as a condition of access to the EU market. It will be a condition of doing business with Australia’s largest source of foreign funds and her second largest trading partner. To ignore it, would be to be excluded from this market, or to expose your business the largest fines ever to be applied to data privacy (potentially up to 4 per cent of a business’ annual global turnover or up to 20 million Euros).
For Australian businesses, there are two basic cases by which most companies will need to consider the GDPR. Firstly, and most obviously, the GDPR will apply if your company is selling products or services to consumers or businesses located within the EU. Secondly, the GDPR will also apply if you are part of the data supply chain for a company selling products or services to consumers or businesses located within the EU.
Unlike Australia’s view of privacy data, the EU takes a very broad view of what should be considered personal data, and therefore protected. Under the GDPR, any data relating to a living person physically located within the EU, will be considered personal data for the purposes of the GDPR. In some contexts, this could encompass IP addresses – a very different approach to what we take here in Australia.
Security and technology are only pieces of the puzzle
For most Australian CIOs, the hardest cultural hurdle will be reconciling how data privacy is positioned within their organisation, and how the GDPR demands it be managed.
Many Australian companies view data privacy as a responsibility of the CIO’s office. This severely underplays the role of business teams in data privacy compliance. For example, on their own, the CIO is not able to dictate the types of data their business collects, why, and whether the appropriate approvals have been sought. The CIO is also rarely able to judge whether business process or re-engineering, personnel training, or the application of technology is the best way to solve a potential data privacy issue.
This is not say that security and technology are not important components of an effective data privacy program. But without the full participation of the rest of the business, data privacy controls will fall short and regulation compliance will be impossible to achieve. It will require Australian businesses to apply technology, business processes and appropriately trained people to better protect data privacy.
In some ways, that is why the EU regulations apply such large penalties. Not only do they make even the largest companies in the world sit up and pay attention, they aim to raise data privacy discussions to the board level. They will also challenge us to take more than the traditional Australian, minimum compliance approach to privacy.
What is also important for CIOs to consider, is that data privacy regulations require their organisations to be more data centric, and to look at the company from a data governance perspective.
CIOs are no strangers to data governance but, until now, most have been very focussed on understanding their organisations from the view of a system integration or system management. Understanding the what, how and why of the data held by an organisation is vital for GDPR compliance.
Think about data
Even by European standards, the GDPR is a large and complicated piece of regulation. It enshrines many of the data privacy principles we have seen come out of the EU such as privacy by design, the right of access to information, the right to be forgotten, and receiving ‘specific and informed consent’ for data use. It will drive reform from a wide range of business activities from contracting services, end-user licence agreements and database design. And applying it can seem daunting.
In a 2016 survey of European businesses, Symantec found that 96 per cent of respondents felt they didn’t fully understand GDPR, and 90 per cent still felt unprepared. If you’re not feeling fully across what the GDPR could be asking of you, you are not alone.
Through the GDPR, EU regulators want to end the day of vague and open-ended collection permissions sought from consumers, for data that is not required, then kept indefinitely. They will be looking for responsible businesses to collect only the data they need, with full knowledge and permission, for a specific purpose, that will be disposed when no longer needed.
For businesses and CIOs across Australia, this calls for business processes, people and technology to all work together. And don’t discount the impact of Australia’s cultural approach to data privacy.
Brian Fletcher is the director of government affairs for Australia-Pacific, Japan and Korea at Symantec. Based in Canberra Australia, Brian leads the company’s engagement with governments and stakeholders on public policy, and supports public-private partnerships to benefit consumers, industry partners and governments across the region.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.