Privacy Commissioner Carly Kind was “surprised” – read underwhelmed – by the first tranche of Privacy Act legislation laid before parliament last month. But she says the hard stuff is still coming after the election, which means businesses now diverting budgets away from compliance to other activities may regret it, especially as the regulator has sharper teeth. Kind says firms are failing under the current Privacy Act – and they are in the regulator’s crosshairs. Tracking pixels are under serious scrutiny across the piste, as are companies using data beyond what it was collected for and potentially passing it to third parties.
In that vein, Kind has “existing concerns” about loyalty programs, customer data enrichment businesses and data broking: “It's something I'd like to look at again under the current framework,” she says, suggesting those operators “make sure that they're watertight”. Likewise firms targeting via geolocation: “We’re looking at a case at the moment … We have some real concerns about how it's being used.” Lookalikes, customer audiences, hashed emails and data clean rooms appear to be in the clear. But under the next wave of reforms “the changing definition of personal information could certainly have an impact,” she says, though for now it’s not clear-cut.
In the meantime, Kind says there are four areas for businesses to laser in on – including small firms who will no longer be exempt from regulation.
First, “know what data you hold and who you’re giving it to.” Second, “make sure you've got a retention and destruction regime in place – anything that’s old, you don’t need to hold it any more.” Next, get into the weeds on contracts with third party service providers and be sure to have a data breach response plan in place. “It's an area of vulnerability we're seeing a lot at the moment,” says Kind.
In short: “Don't take your foot off the gas, because we're looking to take a more enforcement-based approach to regulation in the interim.”