Last week’s IAPP ANZ Summit 2022 in Sydney was a great event. Better still were the conversations that put a spotlight on the growing importance of privacy and data protection to the Australian community. To me, the key takeaway from the summit was clear — Aussie organizations are now on notice to “clean up” their data holdings and not retain personal information unless there’s a “bloody good reason.”
For the record, the “bloody good reason” line is entirely my invention. But from my vantage point at Summit, most speakers and commentators were singing from the same song sheet, with the chorus ringing out loud and clear — Australian regulators expect organizations to start cleaning house. And quickly. Unless, of course, they want to be on the wrong end of an Optus-style breach or put themselves squarely in regulators’ sights.
For those not from the “Land Down Under,” Optus is one of Australia’s major telecommunications providers. Following a cyberattack in September, hackers exposed millions of Optus customer records, including passports, Medicare numbers and other personal identifiers. In my “fireside chat” with BigID Sales Manager Tim Roughton at ANZ Summit 2022, he mentioned an article I wrote for the IAPP — Fines, Flossing and Films. He even used the term “prophetic.” And no, I didn’t pay him for that shout out, but I would have done so willingly. Paid him, that is. Again — for the record.
He made the comments in relation to my article — and musings that increased fines for Privacy Act breaches to AU$10 million would, no doubt, send shivers down corporate Australia’s collective spine. Those shivers may soon turn into convulsions with the Australian federal government’s quintupling of fines to a staggering AU$50 million. Collective shivers aside, I stand by my remarks that fines are akin to “sugar hits.” They can make headlines, but the real test is whether they can impact corporate behaviors at the digital coalface and over the long term.
Fines and similar tools will struggle to fundamentally change the hearts, minds and staff behaviors, which are, by my calculations, the single biggest cause of data breaches in Australia. I strongly believe privacy programs should focus on training and awareness, minimizing human error and helping front-line staff understand how data breaches can ruin people’s lives. Most importantly, core messaging should be about victims of identity theft and ransomware attacks. They are like you, me, our families and those we love. Empathy plus awareness equals a likely reduction in human error and data breaches.
In our fireside chat we also discussed how Australian businesses and other entities can “eat the data elephant.” Again, this is only my personal take, but I think that data inventories are job number one. It’s going to be a daunting exercise for most Australian organizations — a virtual Mt. Everest involving scores of active and legacy systems, platforms and apps, network and cloud storage challenges, along with hundreds of other issues.
To name a few of those thorny issues: the perennial underfunding of records management and its fearsome evil twin, data destruction. Faced with uncertainty about how long to retain information, much less which of Australia’s interlocking regulatory regimes apply to a given record, many businesses toss these issues into the “too hard" basket. The result? “Save everything” meets “kick the problem down the road” to form an unholy union in Australia’s data dungeons. That begs a few questions, like how to tackle the data beast lurking within an organization’s digital walls? And how to do it in a way that won’t cost the earth, while hopefully putting your organization on a privacy-by-design trajectory? There’s no simple answer to these issues, only a risk-based approach.
As Roughton aptly pointed out in our chats, the starting point is to acknowledge the significant risk in the status quo. There are very serious risks in doing nothing, in not confronting the mountains of data organizations have hoarded over the years. Even if organizations adopt effective security and encryption measures, it doesn’t account for ever-increasing risks of data breaches and threat actors clever enough to infiltrate a secure network and exfiltrate data. The EU General Data Protection Regulation data minimization principle makes it clear: less is more. It's clear this approach has found a home with Australia’s regulators. Where does that leave the average business faced with trying to eat the data elephant?
My recommendation is to start with honest conversations about risks and ask why your organization is holding on to a given dataset. If the answer is "we’re not sure," it’s safe to assume it won’t fly with regulators. At the same time, privacy professionals can use the “won’t fly” sentiment when getting pushback from stakeholders about the need to "bin" or delete data past its use-by date.
Truth be told, all organizations can make reasonable assumptions about their data and record sets, and then establish baseline rules that err on the side of caution (i.e. the longest reasonable retention period for an entire dataset or large swathes of it). What else? They can look to see if data sets haven’t been touched in years and, if so, put them into encrypted, password-protected digital deep freezes until the end of their retention periods. Then bye bye. At the same time they should annotate and chronicle every step in the process to gain a reasoned basis and arguments that will find sympathy not just with the privacy commissioner, but with any regulator, auditor or judge managing a discovery process.
We also need honest conversations about hidden costs. By that, I mean we need to call out and provide accurate accounting for all resources allocated to dealing with privacy issues, along with the likely costs of breaches. When I say all resources, I mean each and every cost — from forensics to legal and PR advice, to mail-outs and media buys, contact center staff upskilling and overtime, auditors and consultants, regulatory fines and litigation settlements, lost sales and long-term brand damage and the list goes on.
Not to be forgotten are internal costs, i.e., reasonable estimates of the time spent on managing privacy matters at all levels of an organization and ascribing hourly rates to those efforts. Think like lawyers and accountants toiling under a billable-hours scheme and adopt a rough hourly rate for your time, along with everyone dealing with privacy matters, from SMEs to records, IT, cybersecurity and so on. These may be “fixed costs,” but they are very real costs to any organization just as easily allocated to other projects. If you make a point of accounting for those costs, you can use them as part of a best-practice privacy pitch. Say that ten times fast. In any case, you may be pleasantly surprised when the clean-out costs pale in comparison to the risk and subsequent costs of getting king hit by cyber criminals.
While I sit in my ivory tower, gazing out on our back yard and exhorting other privacy practitioners to up their game before the regulators come knocking, I recognize these tasks are always a work in progress. At the same time, I am painfully aware of my own shortcomings as I despair over the clutter of my garden shed and the bombsite masquerading as a home office. But works in progress can be made easier if you ask the right questions — like whether you really need three pairs of rusty, 10-year-old gardening shears or much less a digital version of them.