What you need to know:

• Australian privacy reform might have been transformed into a multi-act play, but that doesn’t mean businesses should be taken the foot off the pedal of compliance and data governance efforts: Quite the opposite, say the Privacy Commissioner, ADMA, Clayton Utz and Civic Data.
• Yet according to ADMA’s Sarla Fernando, that’s exactly what is happening as organisations divert hard won compliance training budgets and focus for marketing after the first tranche of privacy reform failed to deliver the big substantive changes expected to how the industry collects and applies personal information. She’s also worried about the ground lost by marketers as compliance training loses support.
• Lounge Lovers’ Sven Lindell flagged implied consent as a particularly grey area brands should be rethinking as they review whether existing data collection and use is in fact compliant.
• For Clayton Utz partner, Brenton Steenkamp, adjustments to the Australian Privacy Principles qualifying ‘reasonable’ use of data as well as new examples of organisational-level accountability all make plain the Government will still go hard on how data is used, collected and retained in a way that can’t be solved through technology alone.
• Data mapping and auditing, better insight into the full data lifecycle and importantly, stronger data destruction, are all ways brands can prepare for what’s to come right now, say the experts.

Privacy reform may have become a multi-headed beast, but that’s no excuse for businesses to not be doing more to clean up their data and compliance act now. And yet in this week’s Mi3 podcast, Privacy Commissioner Carly Kind expressed her concerns about businesses redirecting budgets away from compliance to other activities after failing to see substantive privacy reform in the first tranche tabled in Parliament on 12 September.

“If I can get one message out it’s don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms,” she warned.

It’s a concern shared by ADMA director of regulatory and advocacy, Sarla Fernando. She fears for the progress made by marketing teams who’ve gained a voice in the organisation-wide privacy and compliance conversation.

“In the lead up to the Bill being submitted to Parliament, there was a sense of urgency that change would be substantial and off the back of that, marketing teams were able to justify the need to prioritise the work to be done and get some backing from their boards,” she said. “They had money allocated to training and upskilling. Now, with what is going to be a delay in some of those reforms, we are hearing from our communities some companies are finding the budget allocated for privacy training in marketing, which is at the frontline of this, being shifted elsewhere with the intention to focus on privacy later.

“That's a disappointing component. We have responsible marketers who are very keen to do what they have to do, to be involved in this and get their teams ready. ADMA has spent a lot of time working with the marketing community, driving the messaging that they shouldn’t get bogged down in the little details of what's fair and reasonable to one person not being fair and reasonable to another, for example. Or get bogged down in how and when we will we land on the wording… Just know this reform is coming and start preparing for it.” 

Fernando pointed out compliance teams tend to wait until the wording is locked in. “Whereas many marketers have understood the application of the reforms and are saying actually, 'wait, if all of these things are coming into play, then we have a lot of work to do with the data we have right now on the road to compliance in the new world. And if we wait too long, we're not going to have time to do it in order to be compliant.' That's our challenge as an industry,” she said.

In response, Fernando’s overarching advice is to keep urging the rest of the business to understand the more substantial scope to privacy will broaden and that compliance training and education is vital to getting remotely prepared for what’s to come.

“Know the kind of data you've been collecting up until now is going to face a wider scope for personal information; that's coming,” she advised. “Also know for sure that just because you're ready for GDPR does not mean you're ready for Australian reforms. Know while the timing for small business exemptions around certain proposals may not be this tranche for various reasons, change will have to come in some form in order. So do the work you need to do to lift your standard of data practices to be best practice… this is what your meet customers are already expecting of you anyway.”

Inadequate compliance mentality

What worries Lounge Lovers head of marketing and digital trade, Sven Lindell, is many businesses aren’t compliant with what is in place right now.

“I have massive concerns around people that haven’t collected data compliantly,” he told Mi3 during an interview at the recent Attentive SMS marketing conference. Lounge Lovers made the decision to adopt the tech vendor’s platform specifically because of its transparent opt-in functionality to ensure consent as it builds an SMS database under its CRM program. In under five months, the retailer has had more than 44,000 customers sign up.

“I’m quietly confident I can point to a number of retailers out there that have built their SMS databases who are in this process now of constantly communicating – and their customers haven’t opted out. But going back and then wondering if can I stitch all that together and show there has been absolutely expressed consent to opt in to this channel? It’s a bit loose,” said Lindell.

One of the doozies Lindell flagged for brands is the concept of implied consent. “That was a really grey area that even lawyers couldn’t describe to me,” he continued.

“For example, because you have a loyalty program and they’ve signed up and it’s an account in that loyalty program, and they have therefore signed up to a program all about marketing, therefore it’s implied consent. Ok, so do I put a tick box in? Do I have that pre-ticked or unchecked? Or do I go back and say, wait a second, the customer didn’t check that but because they signed up, we have implied consent?

“If there’s a big gap between a source we thought could have opted into this communication and what we’re sending to them, we should be rethinking that.”

Lindell’s hope is the next tranche of privacy will bring things to a point where this becomes more apparent – and that brands see it before the regulators come down hard.

“And I know they are. Unfortunately, I’ve been at the back end of some of those. But I think it’s only a good thing for marketing. It will help clean up the industry. And it means those databases that fly around out there, and the way you share data and information, will become a lot more regulated as well,” he said.  

“The other interesting thing is the introduction of data clean rooms and how they’re going to change the way we work. I know they’ve been talked about for years but I do feel we’re on the cusp of these being a big way for us to share information and share signals around customer value.”

Attentive regional VP of APAC Zach Hotchkiss, said the vendor takes compliance very seriously, noting a large legal team looking at all regional and geographic laws and compliance.

“We’ve never had someone properly litigated against Attentive,” he said, adding Attentive is “100 per cent getting questions in the local market”.

“Sometimes it’s the primary reason someone who is not using Attentive comes over and uses us. That was the catalyst of opening up conversations with Lounge Lovers and looking at a new SMS provider over a previous provider,” Hotchkiss said. “We’re even finding in the US, time and time again, people come to us specifically because of this level of compliance, opt-in, the way we look at date and time, the way we use screen grabs. It’s very important you get it right from day one. Otherwise you’ll have to go back and clean all this up.”

Clayton Utz: Take a hint from the APP tweaks around data management

Brenton Steenkamp, the partner heading up Clayton Utz’s cybersecurity practice, said the Government’s intention to see through more significant privacy reforms are there for anyone who looks for them. In a recent media briefing, he flagged clarifications to the existing Australian Privacy Principles (APP) qualifying data security, processing, destruction and management as indicative of how much of a compliance issue this is for businesses. And it’s not going to be solved by technology alone – as the APP changes make plain.

“The latest reforms to the Australian Privacy Principles on securing, retaining and destructing personal information are focused particularly two aspects. Firstly, organisations now need to take ‘reasonable steps’ – what is deemed to be reasonable – particularly around the technical and more importantly, organisational measures,” he said.

Specifically, the Government has amended APP Part 5, which adds in a new 11.3 clause noting ‘reasonable steps’ must be taken both technically and organisationally around protecting and then destroying personal information. It also introduces specific examples of the kinds of organisational measures that could be taken to protect personal information, including training employees on data protection, and developing standard operating procedures and policies for securing personal information.

“A lot of organisations have embedded a good range of technical processes and ground controls to achieve the necessary security measures, particularly where an organisation has an ongoing business function to protect itself against all sorts of cyber-attacks taking place. However, the point around the organisational measures takes it a step further,” explained Steenkamp.

“There’s going to now be a deeper sense of responsibility, but also ownership, not only at the governance layer, but also the operational layer. Processes need to be embedded around the training and awareness of what this data means to you as the user, but also from an institutional perspective. How do you protect the data? Are you using it for the purposes of why it was acquired in the first instance?”

Then there’s the data usage and retention itself. Steenkamp summed it up as “heightened corporate responsibility and focus around when the data reaches its full potential in terms of its first requirement and usage, and what has been done to either de-identify that information or destroy it accordingly.”

While ‘reasonable steps’ is a wide term, it’s one that makes it vital brands think about their customer data lifecycle right now.

“I will say the judge to that would not only be internally, but also externally in terms of what that means in the eyes of society,” Steenkamp said. “What are we doing personally to safeguard that type of information? Also at an organisational level, what has been done to actually manage it accordingly and to follow good governance around data holdings?

“There’s a lot of hard work still to be done in that regard. I think large organisations and multinationals have probably done a lot in this regard to mitigate the threat of data breaches, attacks from cyber criminals, but more can be said around the smaller and medium enterprises.”

There’s also the question of what data businesses are protecting. “There's great emphasis around what steps you are taking to maintain not only the security of your data holdings, but also how you get rid of what is not needed anymore going forward. There's a step process of not only identifying what data you hold within the organisation, but also desensitising that information from a personal information perspective, and also from a risk perspective,” Steenkamp said.

“That's where in my personal view, businesses as a whole need to do catch up work. There's much greater emphasis now on understanding what my data holding looks like, who has access to that data, what third parties are holding my data and have access to it, and what controls have been embedded to mitigate the risk, not only from a security perspective, but more widely. The reform talks to what measures are being embedded internally. Are people being trained? Is the governance process being framed out? Have the necessary measures been taken to forecast or understand how old is the data you have on hand? Has it been used for the appropriate purposes? Why was it first collected? Those processes are key, and that's where maturity needs to increase.”

Fellow Clayton Utz special counsel, Monique Azzopardi, said from a day-to-day perspective, the team often sees organisations holding onto data because they regard it as a valuable asset that may be used to support ongoing processes, legal compliance and the like.

“In the wake of recent data breaches, people are revisiting their data holdings and thinking about what they need to hold onto,” she said.

Indeed, loyalty, data enrichment, data broking are among the focus areas the Privacy Commissioner, Carly Kind, has right now.

“Retention of data is a really big issue that comes across our desk time and time again. Having entities take a good look at that would really put people in good stead,” Kind told Mi3. “Cyber security and reasonable steps to secure information is another – it's the main complaint we get coming through our doors.”

What can be done now

Even with less bite than expected, the first tranche of privacy reform does bring in significant new requirements. As reported by Mi3, one of the big ones with huge long-term impact is transparency notices around automated decision making. Under the new changes, entities must disclose the use of AI and automated systems that significantly affect individuals. In other words, if you are using customer data to automate decisions, your customers need to be able to understand that from your privacy policy.

In response, consultancy Civic Data advised brands to carefully examine the entire tech stack, analysing which tools make or assist in making significant decisions; vet how they categorise and disclose the ‘kinds’ of decisions these systems make; and review current privacy notices to ensure they’re sufficient to cover these automated processes.

There’s better data auditing and categorisation that can be done now too. Data and technology consultant, business lawyer and principal at Data Synergies, Peter Leonard, said a really important part of being prepared is knowing the data you have, and categorising it so it’s clear what personal information holdings exist and have to be managed under the new privacy regime.

“The reason I put emphasis on that is most organisations don't label their data properly, and therefore don't know where there is personal information within the organisation, even as defined today, and even before they do the exercise of saying, okay, when these new rules come in, it includes inferred data,” he said at a recent ADMA briefing.

“So there is a basic data mapping and taxonomy exercise that virtually every organisation in this country should be doing now, regardless of what the rules look like. I've spent my lifetime involved in technology and data projects and businesses, I can tell you, there's virtually not a technology or data project you can do that takes less than six to 12 months. There's a big lead time just on getting all the data properly labelled, mapped to where the data sits in data warehouses - all of that stuff. If organisations aren't doing that now, they're not going to be ready for this legislation as and when it comes. And you can do all of that without knowing what the final legislation is going to say.

“I do think a lot of organisations are setting themselves up for a fall by saying, Well, you know, we don't know exactly what the landscape is going to look like, therefore we won't start, because if they start at that point, they're not going to be ready.”

And don’t forget, the second material issue for marketers coming out of the first tranche of privacy review is that there is now a statutory tort – a legal framework that covers civil wrongs – that could lead to class actions, for instance, if the Office of the Australian Information Commissioner finds serious harm has been done.