Five essentials for Australia's new privacy laws

In three weeks’ time new privacy laws will come into effect, marking a significant turning point for Australian businesses and the way they deal with customer data.

The Privacy Amendment Act, effective March 12, includes 13 new Australian Privacy Principles (APPs) that will apply to businesses with a turnover of at least $3 million, as well as government agencies.

Companies that fail to comply with the rules now potentially face penalties including enforceable undertakings or fines of up to $1.7 million per infringement.

Expanded powers for the Privacy Commissioner also mean firms can now be investigated as the Commissioner sees fit, where previously a complaint must have been made first.

Many businesses not yet compliant may be in for a rude shock when they discover just how much work they have to do. These straightforward steps will help get things up to speed.

1. Assess your customer data usage

DLA Piper IP & Technology group partner Alec Christie says the first step is to assess what customer data your business collects, for what purposes, where it’s stored and how you communicate with customers.

Given the breadth of touch points today, this could include sources ranging from online forms to recorded calls from a helpdesk.

While it may seem daunting, defining the scope of what you are dealing with can save your business time and resources in the long run, while ensuring nothing is missed.

Once the audit is complete, Christie recommends seeking legal advice to map your business against the new Privacy Principles.

2. Get your Privacy Policy in place

A key change under the legislation is the mandatory requirement for a Privacy Policy that’s tailored to reflect your business and is updated regularly. The policy must be “clearly expressed” in a way that is easy for consumers to understand – i.e. not in legalese.

Companies must notify customers if and when they are collecting and using information as soon as is practical, and also provide a clear process for opting out.

Association for Data-driven Marketing & Advertising chief executive Jodie Sangster says companies running out of time on compliance should get these documents in place first because they are the first thing the customer sees.

“Start with the front-facing consumer angle and work back from there,” she says.

3. Manage your data

Explore how technology can help you keep track of customer data through its life-cycle. Having a streamlined system in place will make compliance easier and will also mean less of a headache in the off-chance of an audit.

The number of tools and services available for managing this area is growing. For instance, some cloud service providers such as AC3 are building business models around not just hosting data but also understanding regulatory requirements and incorporating them into workflow and data management.

Hitachi Data Systems Chief Technical Officer APAC Adrian De Luca says one area of data management to watch out for is its disposal.

“If you look down at the Act and what it’s asking, it’s not just around collection and use but disposal,” De Luca says.

“We need to look at how technology can help us manage that information beyond the lifetime of its application.”

4. Train your staff

The APP guidelines recommend companies implement regular staff training on the Privacy Principles and their effects on the organisation.

ADMA's Sangster says this should be implemented company-wide so that customer data can be managed properly every step of the way.

“So many departments within a company will touch data and everyone in the company needs to know what part they play in the process,” Sangster says.

Hitachi’s De Luca also recommends appointing a Privacy Officer dedicated to overseeing your organisation’s use of customer data, even if it’s not a full-time role.

5. Be aware of the detail

Ultimately there’s no one-size-fits-all approach to tackling the new rules – it’s up to organisations to take note of any specific areas of the legislation that may affect them.

For instance, Christie says three areas where DLA Piper clients have voiced concern include notifying third parties about the use of data, ongoing liability if disclosing information overseas, and increased security and de-identification obligations.

Make sure you pay close attention to specific wording, too. For example, the definition of ‘personal information’ has broadened from data that is attached to a name, to now also including anonymous data with the potential to be linked back to an individual.