The Facebook / Cambridge Analytica story has been in the headlines for several weeks, and has brought to the fore the issue of corporate responsibility and privacy protection.
Regardless of whether a data breach has occurred – as the continued scrutiny on Facebook is illustrating – these events are an opportunity for all digital media and advertising businesses to take stock and consider whether their handling of personal information is not only compliant with the law but matches up with widespread community expectations.
The benefits of data innovation are immense and bring economic rewards, which means that businesses that handle data, need to be trusted stewards of the personal information of Australians. At the IAB, we favour the continued growth of the digital economy and we strongly support innovation. As such, we see the responsible collection and use of personal data as part and parcel of this vision.
Europe’s General Data Privacy Regulation (GDPR) is scheduled to come into effect on May 25 and will be a significant factor in shaping data privacy policies moving forward – particularly given that, regardless of whether they have offices or store data in Europe, many online businesses have customers or users in Europe.
The changes to be enacted are broad and will have far-reaching consequences for both companies and individuals (which is a much longer story, and if you want a succinct breakdown of the GDPR, we recorded an excellent podcast with Yves Schwarzbart, Head of Policy and Ad Tech at IAB U.K., which is available here.)
Back in the Australian market, the Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), has last month issued two new resources that will be a useful guide for any business considering data sharing and analytics.
The first is the Guide to Data Analytics and the Australian Privacy Principles and the second is De-identification and the Privacy Act. Data analytics is generally thought of as not needing to comply with the Privacy Act as it means working on big data sets, assumed by many not to contain personal information and hence not be regulated by the Privacy Act. This assumption is often not correct.
The Acting Information and Privacy Commissioner, Angelene Falk also presented a speech at this week’s Industry Briefing: Privacy and GDPR hosted by the IAB Australia at Gilbert & Tobin with useful information for industry on the topics of data, privacy and trust.
Headlines from keynote address by the Australian Acting Information & Privacy Commissioner, Angelene Falk
Make privacy part of company culture – training and awareness are key but you also need to think about your total digital value chain – the suppliers & partners you work with – publishers, tech companies, agencies and advertisers. At the industry briefing, James Hutchins, Senior Legal Counsel at REA told the audience that at REA all new product developments, systems and process changes and supplier engagements impacting PI must pass a ‘privacy impact assessment’ conducted through cross-functional collaboration (legal, IT security, product, sales/marketing etc.)
Value exchange with the consumer is key
Explain your data collection methods in an open, simple and clear way – what you plan to do with data and what consumer get in return – consent is key.
Craft a privacy communication tool (privacy policy) that meets your business needs. Innovate.
Make sure you don’t have a privacy policy that was written a decade ago, is a hundred pages long and has a raft of add-on amendments every year to keep up with the law. Be innovative. Understand your businesses unique consumers. Communicate your privacy practices to your consumers in a method that suits your company and the users who interact with it.
GDPR is the start point, not the end.
At the industry briefing, Samantha Yorke, Public policy and Government Relation expert told the crowd that GDPR marks the halfway point in an ongoing conversation on privacy that has been underway for some time. Even if you are an Aussie company with Aussie consumers your Ad Tech providers might have global operations. In time, these Ad Tech providers will likely push towards that high watermark for privacy that the GDPR represents.
Privacy recognised as a top business risk
CEOs and Boards need to understand privacy. Top Australian companies make sure privacy is on the agenda at senior levels of the company. For Telstra, quarterly board reports are part of regular business. For REA, privacy is a bottom-up and top-down exercise that involves every department lead in the business.
Consumer rights continue once data has been traded
“This idea that once personal information is traded with an organisation, the individual ceases to have rights to their data does not align with community expectations and protections under Australian law” according to the Acting Information and Privacy Commissioner, Angelene Falk told industry that Companies that exchange free services or products for data don’t have carte blanche over use of the data. Responsible and transparent data management processes must be in place.