In a recent panel discussion I was asked to comment on the role privacy practices play in cyber risk, and how to uplift maturity.
These were some of my reflections.
Data equals risk
The more data you have, the bigger your exposure to cyber attacks. Over-collection and over-retention of data are common problems we see, when we conduct Privacy Impact Assessments and privacy compliance reviews. So good privacy practices like collection minimisation not only address your compliance, but also help to lower your cyber risk profile.
Tips from our Checklist of Common Privacy Risks and Controls include:
- Ask for age range, or year of birth, instead of date of birth
- Separate out what is necessary for the first stage in a process, compared with what might be needed at a later stage; for example an application form for a grant should focus on eligibility criteria, while the applicant’s bank details will only be needed after they have been approved for a grant
- Avoid collecting evidence of identity details. If you genuinely need to identify someone, choose the least intrusive option out of: sight only, sight and verify, record fact of sighting, record fact of verification, or record minimal details.
Know your customer … but understand that comes with legal obligations
We see huge variance in data literacy and maturity across organisations. If your staff don’t know what data is in scope for privacy regulation, or what the privacy rules are, they are placing your organisation at risk.
I can’t tell you the number of times we are told “don’t worry the data is de-identified”, when, frankly, it’s not even close.
And if teams handling data don’t understand that data capable of ‘singling out’ an individual is already in scope for privacy regulation, then your organisation may be in breach of the Privacy Act without realising it.
According to a recent research report from the Consumer Policy Research Centre and UNSW, “Most Australians either don’t know, or think it unlikely, that ‘pseudonymised information’ (70%), a ‘hashed email address’ (60%) or ‘advertising ID’ (50%) could be used to single them out from the crowd”.
But these data points can be used to link up data about people, build profiles and facilitate targeting of them as individuals.
The legal test for identifiability is not whether or not you can figure out a person’s name or legal identity; it is whether one individual can be “distinguished from other individuals”. If your system can single out people to interact with them at an individual level, you’re handling personal information – and that means that all the privacy rules apply.
So if the majority of Australians doesn’t know that they can be ‘singled out’ via a hashed email address, device identifier or other pseudonym, you can bet that a fair chunk of your colleagues – yes, even the ones working in IT, marketing, research and product development where this stuff is critical – also struggle with these concepts.
If your teams don’t understand the scope of the definition of ‘personal information’, then they also don’t understand when to apply privacy rules to the data they are handling. Along with upping your privacy compliance risk, putting undue faith in de-identification or pseudonymisation leads to sloppy data security practices … which increases your cyber risk too.
Ignorance of the law equals risk
Following on from the point above, make sure your business is not built on shaky assumptions like “we’re OK to share our customers’ data because we hashed the email address”, or “we’re OK to collect this data without consent because we scraped it from the public domain”, or “we’re fine, we got our customers’ consent to data sharing by making them agree to our Privacy Policy”.
These are common misunderstandings about privacy law, but they have been debunked repeatedly by the OAIC. Don’t let your organisation risk profits or reputation by repeating the mistakes of others.
‘Notice and consent’ as a regulatory model – and business process – is dead
A key theme of the coming Privacy Act reforms is to shift risk off your customers, and back on to your organisations. Expect the reforms to include a ‘fair and reasonable’ test on top of the existing privacy principles (which you can’t ‘notice and consent’ your way out of); mandatory Privacy Impact Assessments for high-risk projects; and senior management accountability for ensuring you can identify and manage privacy risks appropriately.
So the time to mature your privacy management program is now.
Top tips for how to uplift privacy maturity in your organisation – on a budget
Don’t let privacy compliance responsibility be an orphan. If you don’t have a Chief Privacy Officer, bring together IT, infosec, legal, risk, compliance and data.
Download our free Privacy Management Handbook, to understand how to build a robust privacy management program. It covers everything from first steps and establishing processes to managing risk and what to do when things go wrong. Plus how to spread the privacy message internally, and look after your own professional development.
If your organisation is regulated by the Australian Privacy Act, bookmark our hub of resources to understand the Privacy Act reforms, and download our handout on Seven steps to prepare for law reforms.
And finally, implement org-wide privacy compliance training as the minimum!
Privacy training should be an essential plank in your cyber security strategy – but this is not the same as your standard infosec ‘don’t click on links’ training.
All staff need to know the basic rules for handling information about people. Co-designed by privacy and L&D experts with over 20 years’ experience, and with a fresh contemporary design, our privacy compliance training is engaging and effective – because we know what works. Grab it off-the-shelf, or have it branded or customised further.
Plus select teams, such as those responsible for product development or business process design, need to learn about Privacy by Design.
