How to Prepare for Upcoming Privacy Law Changes

If you stop someone in the street and ask them what they know about privacy law, you’ll likely get a blank stare. But if you ask them whether they remember any recent data breaches or if they have concern about the way companies handle their personal data then you will probably get a completely opposite response.

The world has changed a lot since 1988 when Australia last considered privacy legislation and the government is now on a mission to bring laws up to speed with the digital age we all live in today. In early 2023 the Attorney General released his review of the Privacy Act 1988, a 300+ page report with 116 proposed changes to Australia’s privacy laws that represent an imminent, and very significant, change to the way businesses need to approach Pii data.

Privacy on my mind

The 2023 survey results on Australian Community Attitudes to Privacy by the Office of the Australian Information Commissioner (OAIC) revealed just how significant a concern Privacy is.

The last few decades have seen drastic changes in the way personal information is stored and handled. Whilst many other jurisdictions have introduced legislation to handle these changes and safeguard against abuse (notably the GDPR in the European Union), Australia has lagged behind.

With the amount of personally identifiable information (PII) that businesses and government agencies have on Australians, it’s high time that organisations take privacy concerns seriously.

So, who should pay attention?

Every. Australian. Business.

To draw a quick parallel with the GDPR privacy laws in the EU, eighty-eight percent of global companies say that GDPR compliance alone costs their organization more than $1 million annually, while 40% spend more than $10 million.

Ultimately, failure to comply with GDPR resulted in fines for organisations, from smaller ones like €4,800 penalty for an unlawful CCTV system in Austria, to the hefty €50 million fine to Google for processing personal data without receiving valid consent from users.

So, if there’s something to learn from our EU counterparts, the question is not whether you should pay attention to these changes. The question is how quickly can you prepare for them. The reality is that stricter privacy laws are coming and it will pay to get ahead of them early.

How should organisations prepare?

Unless you already have strong data privacy policies, processes and infrastructure set up in your organisation, getting up to speed is likely to be a major, multi-year project. This will see impacts across systems, processes and people.

You can think of it as a four-step process:

  1. Current state audit

  2. Future state definition

  3. Roadmap development

  4. Implementation work

Keep in mind that this must include a comprehensive analysis of the systems used, e.g. HR systems, CRMs, analytics and advertising platforms, marketing automation platforms, and more. Basically, if a system holds PII belonging to your organisation’s staff or your customers, it needs to be audited.

You may ask: “We don’t know what the laws look like yet, is this really worth it?” And the answer is yes. Completing this audit will help you understand what you are dealing with. This is something you can do right now to help frame how much of a challenge you will face to comply with the proposed new laws.

We Can Help

Revium is an ISO 27001 certified digital consultancy that is deeply familiar with best practices in data protection, cyber resilience, and the management of security assets. In addition to our ISO 27001 certification, we have a membership with The Association for Data-Driven Marketing and Advertising (ADMA) and hold the Data Trust Mark certification.

We have a structured approach to help organisations prepare for the upcoming Privacy Law changes. We offer a Privacy Law Preparedness Audit (PLPA) that involves a two step process.

Privacy Law Preparedness Audit (PLPA)

STEP ONE: Threshold Assessment

This is an initial high-level assessment exercise to get an indication of where your organisation stands in the spectrum of readiness for the privacy law reforms.

It consists of:

  • a survey to be completed by relevant stakeholders,

  • a workshop with key stakeholders,

  • the delivery of a final Threshold Assessment Report

At the conclusion of this assessment you will know how significant the audit task will be. You would also have a view of areas of risk in terms of current laws and future-state laws.

STEP TWO: Full PII Audit & Report

Based on the Threshold Assessment, a full audit will be conducted to find all the PII interactions in your organisation. This will include:

  • Systems Review

  • Contract Review

  • Policy and Procedure Review (incl. Data breach processes and tools review)

  • Existing security Mechanisms Review

  • Marketing Processes Review

  • Employee data consent review

  • Detailed data map

  • Delivery of a full Pii Audit Report with next step recommendations

At the conclusion of this step you will have a comprehensive view of your current Pii data systems, processes and handling as well as a detailed view of areas that require remediation in the immediate term and those that will need to be addressed to comply with the upcoming stricter regulations.

Don't Wait

Getting started on reviewing your preparedness to meet the new privacy laws now will give your organisation a head start when reforms come into practice. If we learn anything from the GDPR implementation, it is that preparing early will deliver a serious competitive advantage when the new laws come into effect.

For more information on PLPA and how we can improve the data security of your business, you can reach out to the Revium team here.