What you need to know:

• It’s been a three-year journey for holiday park operator, Big4, to tackle its data privacy risk and build a culture and organisational way of working that is based on privacy by design.
• Buoyed by a unified board and exec team, and an initial audit of where thing were good, bad and ugly when it comes to data privacy practices across the organisation, Big4 has been thorough in going through every part of its operations, structures, technology stacks, ways of working, capabilities and culture in order to de-risk and improve its data practices.
• Key to the shift has been recognising and respecting customer data isn’t in the ownership of the brand or business, but instead remains the possession of the customer, CEO, Sean Jenner says.
• There’s also an intrinsic link between growing cyber threats and privacy risk, he says – and thanks to the huge cyber breaches Australian consumers have seen in recent years, there’s a heightened consciousness and questioning of how brands are collecting and use all manner of personal information from customers, according to Jenner.
• With Australia’s transformative Privacy Act regulations due within months, and cyber breaches ever present, Salinger Privacy partner, Anna Johnston, has seen growing requests for help from businesses large and small.
• One of the big gaps is in understanding how broad the definition of personally identifiable information is under the proposed changes. “You can’t avoid the privacy rules by applying some basic de-identification techniques and thinking you are now exempt. Privacy understanding is not something staff are going to learn by osmosis; they need to be explicitly instructed about rules for collecting and handling personal information, and what ‘personal information’ does and does not include,” Johnston advises.

It’s shifting from a mindset of regarding customer data as the property of your business, to remaining in the ownership of the consumer, that Big4’s chief sees as the biggest game-changer in its quest to become a more privacy-minded organisation.

“A historic mindset was once you give me that data, that's now my data. Whereas now, our culture recognises that’s still the customer's data,” the holiday park operator’s CEO, Sean Jenner tells Mi3. “It's not our data, it's their data.”

Three years ago, Jenner joined Big4 after holding marketing roles at Nike, Virgin Australia, Myer, Starbucks and Sweat. He found three hefty risks on the agenda: Cyber risk, covid, and data privacy.

“Something we've all probably learnt is how intrinsically linked privacy and cyber are – cyber risk now is a privacy risk,” Jenner comments. “Yes, there are different reasons you can get hacked, but the end of the day, all the risk centres around data. You can't decouple those two things. Any risk you create around data privacy heightens your cyber risk and vice versa.”

With Australia’s looming privacy legislation changes promising to shake up the very nature of targeting and customer data usage, embracing privacy by design should be the priority of every corporate organisation in Australia today. Yet as report after report and expert after expert warns, many are not prepared for the huge changes coming their way. There’s still a significant gap in businesses taking adequate steps to get data governance and processes on footing that comes close to meeting the proposed privacy guidelines. What’s more, all that excessive data collecting of yesteryear has seen the sensitive personal data of tens of millions of Australians end up on the dark web.

“I was a general manager 15 years ago when it was very early days of digital and it was a free-for-all. We all had this mindset of collecting as much as we can and working out if and what we need later on. That was not out of malicious intent, it was more a wild west kind of thing,” Jenner says. Not anymore, he agrees.

Steps taken

What helped Big4 initially get on the path to privacy by design was unified alignment and prioritisation from the board and executive team. As a starting point, Big4 used the Office of the Victorian Information Commissioner’s auditing and health check tools to get a baseline read on the organisation.

“That guided an action plan because as you'd expect, there was a reasonable amount of green but a reasonable amount of yellow and red,” Jenner says.

Big4 built an ongoing management and action plan related to those risks identified. It also set up data privacy as its own register alongside the organisation’s normal risk register to articulate then tick off items from its list.

“Privacy is such a beast, and means so many different things. That helped get some structure to eat the elephant, so to speak,” Jenner says.

Thorough privacy training from top to bottom for all 40 staff has been key, with particular emphasis on staff more exposed to customer data. Big4 worked with Salinger Privacy, a boutique specialist in the privacy consulting space.

“It's a shift to a more proactive mindset and thinking about privacy before you start a project and during a project rather than at the ending going oh shit, what are we going to do and have we thought about privacy? Which is probably historically the way people have done it,” Jenner comments. “It's also about shifting from a compliance mindset, where you’re thinking ok, we're getting away with the bare minimum here, to being more preventative and proactive around it.

“And it’s a cultural shift towards being more respectful that the data is not yours at the end of the day; people's personal information is their personal information. Yes, there's a value exchange there and people are willing to give you that access, but you have to value and respect that.”

Leading Big4’s efforts are its GM of finance and admin, who oversees broader risk and audit, as well as an inaugural privacy officer – its head of loyalty and retention.

“We have a loyalty program with 300,000 members, which is our most significant data resource, so that made sense,” Jenner says. “We also had champions at the leadership table to really drive this. It's clearly everyone's responsibility, and part of this is building that cultural ownership. Just because you have a data privacy person, that doesn’t mean you abdicate your responsibility.”  

The good out of the bad cyber situation

For Jenner, a silver lining to come out of Australia’s high-profile data and cyber breaches of recent years, such as Medibank, Optus and Latitude Financial, is heightened awareness and the shift across a lot of businesses to recognise data and cyber as a whole-of-business risk.

“One of the toughest things and it relates to the cyber piece as well, is that for all the work you do, you still need to work under the assumption you can and possibly will be exposed at some point,” he says. “Particularly from a privacy perspective, you need to be able to look your customers in the eye and say, did we act in your best interest as much as we could have? Did we only get the data we needed? Did we deprecate the data and destroy the data we didn't need?”

One of the many overlooked ways data privacy can be compromised is data sharing between staff.

“Staff may have the right intentions by just flicking you an email with this extract that has 50,000 customer records on it that we should be managing carefully,” Jenner says. “Or we might still have membership forms people fill out and send in still in writing. Do you stick that in a storage box or cage and how long do we keep those? So a lot of things we learnt were human in nature.”

Systems and tech have nonetheless been critical to privacy improvements. Tools put in place cover password sharing as well as Microsoft Purview, a data protection solution which can identify if personally identifiable (PII) data is sitting on people's systems and being shared, and notifies an administrator if it’s being exchanged in a way it shouldn’t.

“But you’re still reliant on other partners as well,” Jenner continues, adding he’s certainly had times where he’s paused and reviewed partnerships with his sharpened privacy-first lens.

“What surprised me only 12 -18 months ago was we were working with a media owner on a promotion – essentially an email gathering opt-in to Big4. At the end of the promotion, they just sent us an email with a spreadsheet of 25,000 names and email addresses on it,” he recalls. “That’s not really a cool thing to do in 2023. I don't think it was malicious, but that is what’s happening without intent. The good thing was the two or three of us who got that email knew that wasn’t an appropriate way to be sharing customer data. We now have tools in place that would now pick that up and flag it’s not being housed or shared appropriately.”

Ultimately with any partnership, you need to make sure anything you do is compliant, particularly if you're using customer data with one of your partners.

“We were in the process of renewing a three-year-old agreement with one partner and we caught an issue in the contract. We noticed the way it was written meant this partner could have access to our database. It wasn't written with the intent they could do something malicious, it was more about giving them access to utilise it to send emails through our database with a partner offer for that brand. That passed muster when we signed the agreement three or four years ago. But now we pick that up and go no, they're not getting access to our data. They will have the ability to contact our members on these terms, in line with our policies and procedures.”

Customer loyalty data collection

Another area of scrutiny in a tighter regulatory environment will be customer loyalty data and collection. While Jenner says Big4 hasn’t historically collected overly sensitive data, it still helps to build a mindset that questions every data point collected. This mindset led to the decision to not collect full date of birth to improving profiling ability.

“Initially, the conclusion we jumped to was just adding in full date of birth. But we caught ourselves and ended up making it month and year only, as well as opt-in,” he explains. “We recognised getting a year of birth may be enough, or potentially month of birth, if we want to be able to do promotional and tactical things around people's birthdays. Just because the default is to get date of birth, doesn’t mean you should.

“It’s about erring on the side of caution and trying to think more in favour of the customer. We also don’t want to make it a barrier through a joining experience or e-commerce conversion experience where we’re giving people pause to go well, I don't want to give them my date of birth so I’m transacting with you if you make that mandatory. You have to be clear in explaining why you're using it or, or how it's going to be protected.

“People have a much greater consciousness about giving out their data. I know personally, I used to give away data without a second thought. Whereas now, we know our customers are asking themselves why a brand would need that data and what do they want it for? They’re asking: Why should I be giving it to you, and do I trust you?”

It's also making sure you're clear when you're collecting data in the first place. “And it’s also trying to do it in a much more transparent way, rather than 15 pages of T&Cs no one's ever going to read and can't interpret anyway,” Jenner says.

Big4 has recently reviewed its privacy policy and fine-tuned it. “While it could still be clearer or simpler, it definitely is a good step forward on from where it was,” he adds.

R.E.S.P.E.C.T

For Jenner, privacy by design goes well beyond ticking that consent box. “There's also just common sense and respect in the piece,” he says. “It's asking ourselves: Have we been thoughtful and respectful in the data we're capturing in the first place, then how, when and why we're using it?

“It's still being pragmatic too – no one gets an award for being the most compliant person. You don't want to swing the pendulum so far you become paranoid, too cautious, and don’t … get the best value from the initiatives you’re trying to build.”

Thanks to efforts to date, Big4 has met its goal of advising the board to take privacy off the out-of-appetite risk list.

“That’s a reflection of the progress we have made. The flip side of that is you don't want to lower the scrutiny and prioritisation of it,” Jenner says. “For us, it’s also about starting to be more forward looking so we anticipate the legislation coming. We've already done quite a bit around that, but it's making sure that doesn't come as a shock.”

Jenner’s top advice for other brands is to act in the interest of the customer. “Stripping everything else aside, and the governance, compliance, regulation and punishment, if you've been thoughtful in how you collect, manage and use customer data, that's a really good starting point,” he says.

“The unintended consequence of these horrible hacks over the last couple of years is creating a consciousness both as corporate citizens but also personally. That's made it real for everyone.

“It’s also about how you respond if and when it happens. There's obviously been examples where brands haven't been as great in their response. Transparency is the keyword and it’s better to be siding with the customer where you can.”

Getting prepared: Salinger Privacy

Salinger Privacy principal, Anna Johnston, sees the capability to operationalise compliance with the Privacy Act as a huge gap for many organisations, and one increasingly posing a bottom-line risk. 

“Privacy compliance cannot be seen as the job of just one person, it’s not a tickbox exercise, and it can’t be automated,” she warns. “Companies need to have a really robust privacy management program to set the foundation stones for compliance. On top of that, you need work programs for different functional areas. 

“You also need to have a baseline level of understanding, across all staff who handle any personal information. It’s not just what the privacy rules are, but the scope of data to which the privacy rules apply. We see time and time again people working with data in critical roles who have never been taught the definition of ‘personal information’ is really broad in its reach.  It’s not what tech vendors call ‘PII’. It’s not ‘private’ data. It’s not only readily identifiable data.

“You can’t avoid the privacy rules by applying some basic de-identification techniques and thinking you are now exempt. Privacy understanding is not something staff are going to learn by osmosis; they need to be explicitly instructed about rules for collecting and handling personal information, and what ‘personal information’ does and does not include.”

On a positive note, since the Optus and Medibank data breaches in 2022, Johnston reports a steady rise in demand for advisory and training services, as well as compliance resources for smaller organisations. 

“Some of that is organisations checking their BAU is up to scratch, while others are getting on the front foot anticipating and preparing for the reforms signalled by the Federal Government,” she says.

“Health, government and non-profit clients tend to be starting from a baseline of a more sophisticated understanding of the existing privacy rules and their challenges than some of the big businesses we have dealt with. Privacy maturity is not necessarily a reflection of an organisation’s total budget, but perhaps more a reflection of their organisational culture. Some organisations and sector intuitively ‘get’ good personal information handling practices means lower cyber risk and better customer outcomes. Others are yet to get the memo.”

While she’s not surprised by many of the proposed privacy law amendments, Johnston suspects many businesses will be. She summed up the 116 proposals for reform into one theme: “Radically shifting the risk arising from personal information handling practices”.

“It’s taking the risk and responsibility and hassle off individual consumers and citizens, and putting the responsibility for good data hygiene – and the risks arising from poor privacy practices – squarely back on to the shoulders of the organisations which collect, use and profit from our data.  That is only fair, and it is well overdue,” she adds.

Salinger’s seven steps to prepare for the Privacy Act reforms:

1. Update your enterprise risk framework to reflect new penalties and community expectations.
2. Conduct a maturity assessment to establish your baseline and identify program gaps.
3. Update data asset inventories to reflect expanded scope of information to be regulated.
4. Nominate a senior employee to be responsible for delivering the privacy management program.
5. Revise documents and procedures, including your Privacy Policy, collection notices, consent requests, data retention schedules, Privacy Impact Assessment (PIA) Framework, and protocols for responding to individual rights.
6. Implement change management including FAQs and other comms, all-staff compliance training, Privacy by Design training for product development teams, and PIA training for project managers.
7. Conduct a gap analysis and build a risk-based work plan, focusing on ‘high privacy impact’ areas first.