Would you like to submit a GUEST BLOG? If you have expertise in any aspect of cyber security and want to submit a guest blog to be featured by Shearwater, email: firstname.lastname@example.org
Organisations should embrace the change
Barely a week goes by without privacy breaches hitting the headlines. Whether our confidential data is compromised from private or public sector organisations, one thing is clear – none of us is immune.
Yet, despite all the publicity, organisations often fail to observe simple cyber security practices. Following straight-forward procedures, such as promptly running patches on known vulnerabilities, can substantially reduce the chances of a breach.
A culture of privacy awareness is required
Almost every organisation is a custodian of private data. It’s therefore incumbent upon all members within an organisation to make privacy central to their thinking about business processes.
In the course of my consulting work I have assisted organisations develop privacy policies and have seen too many cases of privacy being compromised because innovative people, acting with the best of intentions, overlook the need to think critically about how personal and sensitive information is handled at every step of its life cycle.
GDPR – The new high-water mark
With all major countries having implemented privacy regimes, the onus is on organisations to ensure they are compliant with regulatory obligations.
Australia has the Australian Privacy Principles (APPs), while in Europe the General Data Protection Regulation (GDPR), introduced in 2018, is forcing all organisations to consider privacy seriously, as never before.
In fact, the stricter GDPR is now relevant to Australian business as well. If any Australian organisation wishes to engage in commerce with anyone in the European Union, they too are obliged to meet the GDPR standards.
As a result, the GDPR is now the de facto high-water mark that many Australian companies strive towards. Achieving compliance with the GDPR usually also enables an organisation to comply with the privacy regulations of other major countries.
Privacy is not a burden – it’s about being customer centric
Don’t see privacy compliance as a burden or tedious box ticking exercise. Nor should privacy requirements be a roadblock to innovation.
When done properly, implementing a culture of safeguarding privacy provides an opportunity for organisations to keep all stakeholders focused on customers.
In every facet of the organisation, people need to ask the question:
Are we doing our customers good, or are we doing them harm?
Continuously asking this question is good business practice. Those that successfully implement policies to safeguard their privacy will be rewarded with long-term customer loyalty.
And that’s why strong privacy compliance standards and procedures make business sense.
Champion privacy with a privacy champion
Once compliance is achieved, the organisation needs to continue thinking about privacy as an ongoing commitment.
That’s why I believe every organisation should nominate one individual to be a privacy champion.
Whether this is a C-level executive or an in-house lawyer, is up to each organisation. However, the key is to have a dedicated individual on the inside who takes responsibility for looking at business processes holistically and considers privacy ramifications of every stage on an ongoing basis.
A privacy champion should be someone who:
- Understands privacy regulations;
- Is an effective communicator;
- Understands the importance of privacy protection to organisational reputation, and
- Participates in all relevant meetings and activities across the organisation in which handling of private information could be involved.
Larger organisations should consider appointing a dedicated Privacy Officer. Such an individual within the organisation would be responsible for privacy matters, including the creation of ongoing Privacy Impact Assessments (PIA) on various aspects of the organisation’s operations.
Whether conducted by an in-house person or outsourced, PIAs are essential whenever you’re intending to implement a large project – such as launching a new system or initiating a merger/acquisition – that will affect the handling of personal information.
Having a privacy champion will help create an organisational culture that reduces the risk of a privacy breach and maximises the chances of successfully navigating this new frontier of regulation.