Don’t wait for the POLA Bill to pass before you get cracking: it’s time to get your house in order now.
For a while now we have been talking to our clients about the seven steps to prepare for law reform, but with these particular reforms split into two tranches, seven steps unfortunately looks like seven-but-one-of-them-done-twice.
5 things to do now
1. Update your enterprise risk framework
Ensure that your senior executive team understands the risks posed by the significant penalties now in place, and heightened community expectations about the importance of protecting their data. They should also be briefed about the overall thematic tone of reforms, which is to shift responsibility for privacy protection off individual consumers, and squarely on to the shoulders of organisations holding personal information.
2. Nominate a senior executive as privacy champion
APP 1.2, known as the Accountability principle, requires entities to establish and maintain an effective privacy management program. The OAIC calls this the ‘bedrock’ privacy principle. So your second priority should be to nominate a senior employee to be responsible for privacy program uplift. More than just a risk owner, the senior executive team should be choosing who will drive the enterprise-wide response to legislative reform.
3. Conduct a privacy maturity assessment
This is not yet about testing your personal information handling practices, but about stress-testing the current state of your privacy program. Think of it as a compliance review, but only in relation to APP 1.2.
A privacy maturity assessment should:
- gauge the ability of your privacy management framework to achieve legal compliance, and support business strategies or goals
- benchmark where your organisation is at, compared to regulatory expectations or industry practice, and to highlight those areas for improvement, and
- set a baseline measure, such that progress can be demonstrated over time, via repeat assessments.
Needless to say, this step includes addressing any identified weaknesses ASAP.
4. Update (or create) your data asset inventories
Ensure that in identifying your personal information holdings, you have appropriately reflected the scope of information regulated.
In other words: don’t skip past those datasets someone has described as ‘de-identified’. Follow the privacy rule of thumb: if it contains information about individual human beings, start from the assumption that it is ‘personal information’ in scope for your privacy program.
5. Conduct a gap analysis
A gap analysis is where you review your existing practices, and check what the ‘gap’ is between your practices and what the new law says it should be. But with the new enforcement powers and infringement notice tools for the OAIC, don’t wait for the Tranche 2 reforms to surface: check your compliance with the rules as they stand today!
In other words, conduct a compliance review to audit your organisation’s practices in terms of compliance against APPs 2-13. The results of your compliance review should feed into a work plan to uplift practices.
All of this can – and should – be done now.
What to do in anticipation for further reforms
Conduct a second gap analysis
Once we know what Tranche 2 looks like, repeat step five: refresh your gap analysis, and update your work plan.
If you don’t have the capacity to review all practices across the whole enterprise, be strategic about your efforts. Focus on your highest risk areas: certain data types, use cases, and systems should be prioritised.
The OAIC and other regulators offer guidance about what is considered ‘high privacy impact’, which we have synthesised into a set of factors in our template Privacy Impact Assessment Framework.
Examples include:
- Certain data types: home in on anything about children or other vulnerable populations, location data, ‘de-identified’ data, and biometrics including facial recognition
- Certain systems: focus on CRMs, HR systems holding employee records, and enterprise data warehouses
- Certain use cases: check out what’s happening with automated decision making, secondary use for research, direct marketing, data matching, data brokering, and online tracking, profiling or targeting
- Certain processes: examine new product development and project management processes, and consent management processes
- Use of contracted service providers, and
- Transborder data flows.
In particular, consider how business practices might be impacted by any changes to the scope of data regulated (for example, if the employee records exemption is abolished; as well as if you have business practices which rely on data being ‘de-identified’ to escape regulatory reach); a strengthening of the elements required for a valid consent; and the introduction of a ‘fair and reasonable’ test.
Steps to take following any change
Whether prompted by legislative change, or the results of a maturity assessment or compliance review, if you have identified gaps in your privacy program then there are two final steps to take.
Revise privacy-related documents and procedures
This includes updating your Privacy Policy, collection notices, consent requests, data retention schedules, PIA Framework, and protocols for responding to individual access and correction (and potentially erasure) requests.
Implement change management
Change management includes FAQs and other communications, all-staff compliance training, Privacy by Design training for product development teams, and PIA training for project managers.
The privacy team at Helios can assist you with privacy maturity assessments, gap analyses and compliance reviews, as well as privacy training from foundational compliance to embedding ‘privacy by design’. Contact us to find out more.
Plus the full suite of templates, checklists and other resources are available in our Compliance Kits.