In celebration of Privacy Awareness Week we’re starting our new blog series “Future Privacy”, in which we’ll seek to understand and resolve some of the challenges many organisations face managing privacy in a time of exponential data growth. In particular, we’ll be looking into the role technology and automation can play.
In this first post of the series, we’ll start by reflecting on how privacy has developed as a discipline in Australia over the last 20 years, through the experiences of our privacy practice lead, Melanie Marks.
Perhaps surprisingly for a privacy professional, my career began in advertising. Working for an agency, I was spruiking credit cards (if the work of an ‘account coordinator’ can be called spruiking) while I finished my law degree. I took a course at ADMA where I learned about privacy in the context of direct marketing practices, including managing the quality of data held by the mailing house.
Privacy was a reasonably new concept for businesses and there were only a handful of people in Australia who would call themselves ‘privacy practitioners’. At this time, the Privacy Act had just been extended to apply to the private sector and there were two sets of privacy principles known as the ‘NPPs’ and the ‘IPPs’. Those early years of the new millennium also produced rapid advances in digitisation and opened the consumer app market with the rolling launches of Android, Facebook, YouTube, Twitter and iPhone, mere ripples in what would become a sea of data-driven practices requiring privacy management.
In 2008, the ALRC released its comprehensive report into the adequacy of Australia’s privacy laws, in which it took the position that ‘as a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience’. The review was an amazing product – three huge volumes of analysis, still referenced today. Despite this, it would take six years before most of recommendations (including the unified APPs) were enacted. Many of the report’s themes are back on the table in the current review of the Privacy Act.
In 2009, there were three management-level privacy roles advertised in Sydney, and I suspect that the number of purely privacy advisory roles were similarly few. By comparison, there are countless ads for roles with privacy accountabilities today, of which the best ones are at elevenM. 😊
My first role in privacy management was in eHealth where privacy was understood to be paramount to trust in the emerging digital system. Our privacy team was most aligned to a compliance function and like many of the client teams we see today, busy with bespoke privacy impact assessments (PIAs) as well as reviewing technical requirements, contributing to draft legislation, and addressing the concerns of diverse stakeholders. Although we were run off our feet (and in fact the organisation held very little personal information), in 2009 the idea of automation to undertake privacy operational tasks did not arise.
My next move, to a large retail bank, was characterised by transformation. We stared into the new concept of ‘digital trust’ which had currency overseas, to inform our privacy strategy. The team operated an internal consultancy, delivering PIAs, managing data breaches and dealing with myriad other emerging issues. As the bank rapidly pursued innovative customer and enterprise innovations, while seeking to remain compliant and engender trust, my team faced an unsurmountable volume of requests to size up and manage the privacy impacts.
It became clear to me that a scalable and automated PIA solution for the Australian market was needed, and I set out to find one. The best option I found (but did not pursue) was to outsource PIAs to one of the new privacy consultancies in the market. Our team continued to deliver against the growing needs of our internal customers. It was already evident that no amount of human capital would be enough to future-proof demand. It should be said that some of today’s market-dominant privacy solutions were already out there, but adoption was not commonplace.
In recent years, we have seen a significant blurring of the roles played by privacy, data governance and information security teams. Responsibilities have moved, morphed and evolved. For example, tasks which were previously the domain of data governance or were entirely neglected (such as inventories, mapping, data retention and maintenance) have drifted into the work of privacy teams. Incident management often sits between privacy and cyber teams with legal and other stakeholders. Vendor assessment has become a multidisciplinary process undertaken by security, privacy, data governance, compliance, procurement personnel and others. What we are seeing has validated our firm’s objective of delivering services which combine these disciplines. It has also highlighted the need for enterprise collaboration and risk management software.
Amongst most of our clients, we are also seeing that the tsunami of data that every organisation now holds is increasing demands for privacy expertise. The speed and scale in which all organisations can now view, collect, create, use and share data would not have been believed in the early 2000s. Factors behind this are the emergence of cloud-based services, the comparative reduction in the costs of data storage, the willingness of companies to outsource key functions and the seeming desire of organisations to analyse every piece of data that they have ever collected or might infer. We’ve also had significant tightening up of laws (think European and APAC changes, as well as mandatory PIAs for Commonwealth agencies and reporting of breaches). Operational privacy can no longer be managed using the same processes that teams used 20 years ago.
Today, there is no way that a person (or even 10 people) with a spreadsheet (or 100 spreadsheets) in any large enterprise can definitively map data flows or inventory an organisation’s data holdings, whilst risk assessing all material initiatives, responding to data breaches and data subject requests and inquiries. We have a scaling problem. And hence, transformation in privacy will be necessary for survival; in fact, the tipping point is here.
Yet, whilst today there are tools offered by hundreds of vendors for privacy assessment, consent management, data mapping, data subject requests, incident response and notification, scanning, mapping, discovery, de-identification and more, take-up in the Australian market has so far been patchy.
Every privacy professional, CIO, CISO and CDO needs to know about these tools. And every privacy leader should be thinking about how to implement the tools and hence, how to build their teams of the future. In my next blog I will be imagining a new way forward. What should organisations look for in a technology solution? Is it possible to buy the turn-key solution to end your privacy woes? And what skills will be needed in the privacy workforce of the future?