Published by Privacy Advisory on 5 May 2023
CyberCX has again identified the Australian companies leading among their peers on privacy. As Australia’s regulatory and policy settings on privacy tighten, leadership on privacy is increasingly important. It’s also the right thing to do. This post supports CyberCX’s annual Privacy by Design awards, which recognise Australian brands following the global Privacy by Design principles. These principles transcend time, geography and the complexities inherent in fast-changing technology and data processing systems.
The second annual CyberCX Privacy by Design Awards
Given that the Privacy by Design principles are one of the closest things we have to universal guardrails for managing privacy, CyberCX decided these would be an ideal benchmark for assessing the publicly observable practices of Australian consumer brands.
With over 100 individual metrics aligning to one or more of the seven principles, our team of researchers looked at the main digital interfaces these brands have with their customers: their website platforms and mobile apps.
While our research continues to be finalised, preliminary data again suggests a significant variation in the privacy attributes of major brands’ websites. We will also align key attributes of PbD with what is being proposed in the recently released Privacy Law Reform Report so businesses can see what impact PbD can have on overall compliance with upcoming regulation. We can’t wait to share our findings and to recognise brands that have gone the extra mile in demonstrating a Privacy by Design philosophy.
“You don’t bolt on privacy. You think about it in the development process of products. You can see what happens when companies wake up one day and decide they’re going to do something privacy-wise. You just can’t do it. You have to design it in.”
– Tim Cook, Apple CEO
At a conference in 2019, Tim Cook, the leader of arguably the most successful company of all time, made his views on privacy clear. Privacy should not be an afterthought, but instead baked into the development process of every new product. Privacy, then, is far from dead. If a CEO wants to emulate the success of Apple, she would be wise to take note of the importance that Privacy by Design plays in that success.
Why Design for Privacy?
One of the great challenges for organisations and those charged with managing privacy risk is the complex web of privacy requirements. Compliance obligations vary from territory to territory, and sometimes even between industries within a territory. The Privacy by Design Principles set a globally recognised best practice guide that can help harmonise standards globally.
The Principles transcend time and the complexities that have become standard in technology and data processing. Adhering to the Principles will go a long way to ensuring compliance. More important, and from a human rights perspective, the Principles can help organisations ensure that data is processed in a fair and ethical way.
Consider principle 2. Having privacy as a default setting, rather than something a user must actually choose, will guide marketers, solution architects and data scientists. It’s not proscriptive and is technology and process neutral. The principle can flex with the standard of the day.
The Principles were developed in Canada in the 1990s by Dr Ann Cavoukian, then Ontario’s Information and Privacy Commissioner. As described by Dr Cavoukian, the first iteration was developed at home from her kitchen table. From humble origins, the term ‘Privacy by Design’ is now part of the vernacular of privacy professionals and integral to product development strategies in mature organisations worldwide. It’s also key to guidance from regulators around the world. It’s even referenced and embodied in the most famous and discussed privacy law in history: the European Union’s General Data Protection Regulation (GDPR).
How the Principles can future proof Australian organisations
The Australian Government is currently considering the most significant reforms to how organisations collect, process and use personal information since 2000, when the provisions of the Privacy Act were extended to cover non-government entities.
Major changes on the table include a civil action for privacy breaches, greater accountability for how information is processed, increased rights of individuals such as a right to erasure and an expanded definition of personal information. Think GDPR level compliance requirements and regulatory risk.
But even beyond compliance, good privacy practices make business sense. They can decrease organisations’ cyber security risk footprint. They also help organisations to obtain and maintain the social licence to process personal information and to live up to customer expectations. This minimises reputational harm in the event of a breach and creates opportunities for innovation with personal information.
David Batch is CyberCX’s Privacy Capability Lead.