A new era in privacy – maximising the commercial opportunities of privacy compliance

  • Share

Tuesday, 30 April 2013 — Australian organisations have less than 12 months before the onset of new privacy laws yet the majority haven’t begun to prepare.

Sweeping changes have been introduced by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. This means that by March 2014, all businesses need to consider how they handle personal data to avoid breaching the rules and risking fines of up to $1.7 million.

EY IT Risk and Assurance Executive Director Charlie Offer said the last changes to privacy legislation were made more than 20 years ago.

“To some, these changes might feel like we are playing ‘catch up’ but the landscape has changed dramatically with the explosion in personal data collected through mobile devices, social media and behavioural or location tracking technologies. The continued take-up of these technologies and proliferation of data through globalisation will continue to test the abilities of organisations to adequately comply with privacy requirements.

“However, successful businesses will not only ensure they comply with the new laws but also maximise the opportunities they present. This signals a new era in privacy,” Mr Offer said.

Mr Offer said that businesses should take the opportunity to refresh the way they look at privacy and identify opportunities to better use data held internally, as well as that available from other organisations.

“If considered from the very beginning, privacy can be used as an enabler, not a blocker. Smart privacy management allows organisations to use insights from data to better target, attract and retain customers or to improve the efficiency and effectiveness of service delivery.

“Good privacy management is about building trust in your brand. This means leveraging the opportunities of data collected by new technologies and analysed through ‘big data’ techniques, while staying within the parameters of privacy laws – and more importantly - customer expectations. Consumers are often happy to trade personal information for a free product or service but are turned off by organisations that are not transparent about how they then use that personal data.

“Rightly, consumer expectations around how companies deal with their personal information are rising, so the companies that are transparent with customers will be the winners, especially when it comes to trust in their brand.”

Mr Offer said while the changes had been a long time coming, the amendments didn’t go far enough to make a real difference and bring Australia in line with other major economies.

“Privacy laws aren’t uniform globally, for example, Australia’s new privacy laws are still not considered ‘adequate’ by the European Union, because of the exemption of employee data and issues around offshore data transfer. This means companies that have a global presence need to comply with laws from multiple jurisdictions. This is also important for companies that are offshoring, outsourcing or considering the use of Cloud technologies, given the angst around the flow of data overseas,” Mr Offer said.

Mr Offer said that companies should be addressing these three areas immediately:

  1. Organisations underestimate the extent and nature of personal information they collect and hold. The first step of any privacy programme is to identify all personal data currently held and analyse whether the organisation is sufficiently transparent about what they do with the data, and vitally, confirm that all activities are allowed by law.
  2. Business has also lost a clear line of sight over where data goes to. Organisations are increasingly dependent upon partners, vendors, suppliers and outsourcers - as well as third parties’ sub-contractors. The new regulations make clear that ‘out of sight should not be out of mind’ - and organisations remain liable for any breaches. Good privacy management includes gaining regular assurance that business partners are complying with requirements.
  3. In reality, some sort of breach is almost inevitable and too many organisations are failing to adequately prepare for this worst-case scenario. Experience has shown that how organisations deal with the aftermath of a breach can ‘make or break’ the relationship with a consumer. Smart companies have rehearsed incident management procedures that can be invoked to reduce the impact and severity of a breach for affected individuals, as well as the organisation itself.


About EY
EY is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit www.ey.com

EY refers to the global organisation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

This news release has been issued by EY Australia, a member firm of Ernst & Young Global Limited.

Liability limited by a scheme approved under Professional Standards Legislation.

Contact details:

Katherine Meier
EY Australia
Tel: +61 3 9655 2620 or 0417 859 323