So, what else should your organisation should be doing to ensure you are not left in the dark on privacy?
Common Approach to Privacy
Almost every organisation collects some form of personal information. As businesses acquire more customer and stakeholder information, and find new ways to use the data, how can they ensure that the privacy of their customers is protected?
So, what else should organisations be doing?
A Better Approach to Privacy
Adopting a “privacy-by-design” approach to collection, use and handling of personal information is the most efficient way to stay on top of privacy obligations and expectations. This approach requires privacy to be incorporated into business planning, project design and objectives, and staff training. Put simply, organisations need to integrate privacy considerations into every aspect of their business to ensure proper privacy compliance. While this sounds like a lot of regulatory red tape, experience shows that this approach is more efficient than retrofitting compliance.
Below we outline some steps you can take towards adopting “privacy-by-design”.
1. Organisation-wide Privacy Culture
Good privacy compliance stems from a culture of privacy where everyone, from the leadership team, including the board, down to each employee and contractor, understands the value of personal information.
Too often privacy is put on the back burner until it is forced into the spotlight by a data breach or customer complaint.
Business leaders can create and support a privacy-centric environment where everyone is trained in privacy practices. Protection of customers’, employees’ and other stakeholders’ personal information is key. At a minimum, employees and contractors need to know:
- how to identify and properly manage personal information;
- the privacy issues that arise in their specific role and when to escalate them (especially if there is a data breach); and
- the name and contact details of the Privacy Officer and his or her responsibilities.
Without a culture of privacy, organisations may fail to identify privacy issues risking potential loss of customer or stakeholder trust and reputational damage.
2. Comprehensive Privacy Management Framework
Privacy Management Framework is the label given to the development and systematic implementation of robust privacy practices and procedures.
Effective Privacy Management Frameworks address:
- correct handling of personal information throughout the information lifecycle;
- information privacy security controls; and
- responses to customer privacy enquiries and complaints.
These frameworks also ensure compliance with regulation and promote regular policy and procedure reviews with updates as business practices evolve.
A Privacy Management Framework arms an organisation to address business risks, such as breaches of Australian and international privacy law, disruption to business and loss of customers.
3. Regular Use of Privacy Impact Assessments
Australian and overseas regulators recommend that organisations undertake a Privacy Impact Assessment (PIA) whenever new activities, initiatives or technologies are introduced that affect the treatment of personal information.
PIAs are a practical tool used in “privacy-by-design”. PIAs are an integral part of any project planning process and privacy compliance as they:
- help shape the development of projects;
- lead to adoption of alternative, less privacy intrusive practices; and
- reduce the likelihood of valuable resources being invested into initiatives with poor privacy design.
Failure to conduct a PIA may have a significant impact on business, including negative publicity if a project fails to meet customer expectations about how personal information will be protected.
Organisations must adopt an organisation wide approach to privacy that:
- encourages a strong privacy-aware culture to facilitate employee understanding;
- adopts, frequently reviews and updates its Privacy Management Framework; and
- regularly uses PIAs to identify and shape the organisation’s response to new privacy issues.