Australian organisations sleep walking into non-compliance as new privacy laws come into force
Monday 3 March 2014 — Many organisations will not be fully compliant with the new privacy laws which come into force on March 12 and are ill-prepared for the implications, EY said today.
EY Risk Partner Charlie Offer said that organisations have not historically had the regulatory pressure to keep their privacy practices up to date and are likely to be caught short by the increased powers of the Office of the Australian Information Commissioner (OAIC).
“If you haven’t started preparing, start now,” Mr Offer said.
“The Commissioner will have ACCC-like powers to launch investigations that will potentially result in fines of up to $1.7 million.
“However, the negative publicity resulting from an investigation will be far more significant in terms of reputational damage and loss of customer trust.
“Investigations can be launched without a complaint or even any suspicion of wrong doing.
“This contrasts with the current situation where an investigation requires a complaint and is then limited to looking at that complaint only.”
The OAIC is responsible for monitoring compliance with the new legislation but has limited resources to perform audits and in-depth investigations.
Mr Offer believes that the Commissioner will seek to make examples of those who cannot demonstrate how compliance has been achieved, which is a key requirement under the new regime.
“The Commissioner can bang on the door and demand that you demonstrate how you have achieved compliance; if you can’t then you are in breach.
“The important point is that it will be much more efficient for the Commissioner to demand evidence of compliance than to spend time investigating and proving non-compliance,” Mr Offer said.
The Commissioner has stated that the new requirements represent only incremental changes to the current regime and that he will be unsympathetic to breaches identified by an investigation given all organisations should already be compliant.
Mr Offer said that the Commissioner is significantly underestimating the remedial work many organisations need to do.
“We see a large number of organisations where privacy compliance initiatives have been leapfrogged by the explosion in the collection of personal information and the proliferation of this data internally and to third parties,” Mr Offer said.
Who should care?
Higher risk industries that handle lots of customer information are likely to be initial targets of OAIC activity. These industries include telecommunications, utilities, financial services, and direct marketing.
Mr Offer also said that medium sized enterprises will likely be scrutinised more closely than the top end of town.
“If the Commissioner goes after the big players the action could get tied up in court and delay any definitive outcome – making mid-tier operations a more attractive target to help drive broader compliance,” Mr Offer said.
How should you prepare?
The number one way that organisations can prepare for the introduction of the new laws is to prepare a response plan for a potential request from the OAIC, a corporate customer or an individual.
The response plan should include documented evidence that:
- a program has been started to assess current practices around the use and handling of personal data and a plan to remediate where required.
- there is “tone from the top” support for the program, and involvement of all impacted roles: While privacy is a risk that needs to be effectively managed by the business, Legal, Compliance, IT, Marketing, and Risk/ Internal Audit may all have a role to play.
- frontline staff have been informed of the changes, and given pragmatic advice as to what the changes mean, and reminders of their privacy and security obligations.
“Organisations need to be aware that these changes are imminent and if they don’t act fast they risk feeling the wrath of a regulator looking to get some early runs on the board,” Mr Offer said.
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
This news release has been issued by Ernst & Young Australia, a member firm of Ernst & Young Global Limited. Liability limited by a scheme approved under Professional Standards Legislation.
Ernst & Young Australia
Tel: +61 3 9288 8108 or 0415 835 634