Every other day we hear about a privacy issue, whether that be a data breach, the misuse of personal information by companies, or new privacy legislation. Privacy compliance is on everyone’s mind – which we think is a good thing – yet simply having a Privacy Policy is no longer enough to protect businesses and their customers.

So, what else should your organisation should be doing to ensure you are not left in the dark on privacy?

Common Approach to Privacy

Almost every organisation collects some form of personal information. As businesses acquire more customer and stakeholder information, and find new ways to use the data, how can they ensure that the privacy of their customers is protected?

Most organisations have a Privacy Policy which details how to handle personal information. Some also have a Data Breach Plan. While this is a good starting point, it is important to realise that just having these policy documents is not enough for effective privacy management, practically or legally.

A Privacy Policy that sits on an organisation’s website is not a useful management tool if it is not understood, regularly updated and reflected in organisation practices. In a similar way, having a Data Breach Plan is the first step but organisations need to ensure they maintain focus on preventative security measures and understand what to do when a data breach hits.

So, what else should organisations be doing?

A Better Approach to Privacy

Adopting a “privacy-by-design” approach to collection, use and handling of personal information is the most efficient way to stay on top of privacy obligations and expectations. This approach requires privacy to be incorporated into business planning, project design and objectives, and staff training. Put simply, organisations need to integrate privacy considerations into every aspect of their business to ensure proper privacy compliance. While this sounds like a lot of regulatory red tape, experience shows that this approach is more efficient than retrofitting compliance.

Below we outline some steps you can take towards adopting “privacy-by-design”.

1. Organisation-wide Privacy Culture

Good privacy compliance stems from a culture of privacy where everyone, from the leadership team, including the board, down to each employee and contractor, understands the value of personal information.

Too often privacy is put on the back burner until it is forced into the spotlight by a data breach or customer complaint.

Business leaders can create and support a privacy-centric environment where everyone is trained in privacy practices. Protection of customers’, employees’ and other stakeholders’ personal information is key. At a minimum, employees and contractors need to know:

  • how to identify and properly manage personal information;
  • the privacy issues that arise in their specific role and when to escalate them (especially if there is a data breach); and
  • the name and contact details of the Privacy Officer and his or her responsibilities.

Without a culture of privacy, organisations may fail to identify privacy issues risking potential loss of customer or stakeholder trust and reputational damage.

2. Comprehensive Privacy Management Framework

Privacy Management Framework is the label given to the development and systematic implementation of robust privacy practices and procedures.

Effective Privacy Management Frameworks address:

  • correct handling of personal information throughout the information lifecycle;
  • information privacy security controls; and
  • responses to customer privacy enquiries and complaints.

These frameworks also ensure compliance with regulation and promote regular policy and procedure reviews with updates as business practices evolve.

A Privacy Management Framework arms an organisation to address business risks, such as breaches of Australian and international privacy law, disruption to business and loss of customers.

3. Regular Use of Privacy Impact Assessments

Australian and overseas regulators recommend that organisations undertake a Privacy Impact Assessment (PIA) whenever new activities, initiatives or technologies are introduced that affect the treatment of personal information.

PIAs are a practical tool used in “privacy-by-design”. PIAs are an integral part of any project planning process and privacy compliance as they:

  • help shape the development of projects;
  • lead to adoption of alternative, less privacy intrusive practices; and
  • reduce the likelihood of valuable resources being invested into initiatives with poor privacy design.

Failure to conduct a PIA may have a significant impact on business, including negative publicity if a project fails to meet customer expectations about how personal information will be protected.


Organisations must adopt an organisation wide approach to privacy that:

  • encourages a strong privacy-aware culture to facilitate employee understanding;
  • adopts, frequently reviews and updates its Privacy Management Framework; and
  • regularly uses PIAs to identify and shape the organisation’s response to new privacy issues.

Simply having a Privacy Policy is not enough for privacy compliance.

Sainty Law can help you review and redesign your approach to privacy and data protection. Contact us for an obligation free discussion on how we can help your organisation.