Australia’s privacy landscape is in the process of being redefined. We expect the outcome of the current wide-ranging review of the Privacy Act 1988 to transform how our clients need to approach protecting and managing personal data.
This is happening in the context of:
KPMG Australia’s experts discuss ways of managing privacy risks.
Watch the video for insights across KPMG Australia’s compliance, legal, risk, technology, cyber, forensic, data, ethics and AI teams on the importance of privacy and how to manage risks.
Privacy changes on the horizon.
Borderless data flows drive more transactions, acquisitions, technology and growth, increasing cyber security and supply chain risks.
Courts and regulators are also becoming more active in investigating compliance and enforcing privacy and consumer rights relating to personal information. Consumers expect more choice and transparency in relation to the data collected about them, and also redress for harms caused from privacy breaches.1
More sectors will become designated as critical infrastructure under the current changes to the Security Legislation.2 This will mean additional cyber security and risk management obligations for many organisations. We are also seeing the market responding to the opportunities and challenges of the broadening ecosystem of the Consumer Data Right. This is resulting in increasingly complex and overlapping regulatory frameworks which organisations need to understand as they pursue digital transformation.
Organisations should be ready for large-scale changes to artificial intelligence (AI).
Change is inevitable. The last year saw a large increase in the AI adoption due to COVID-19, with more than 30 percent increase in some of the industries.3 Organisations should be ready for this, starting with education around new opportunities and risks introduced to the privacy domain by the power of AI. Adopting an organisation-wide, multi-disciplinary approach is necessary to achieve ethical and trustworthy AI systems. Privacy should be built into projects from their inception and design phase, avoiding the common mistake of seeing it as a final approval or ticking a box.
It is also time to think about privacy beyond just existing regulation and proactively ensure stakeholders’ ethical privacy expectations are met. Organisations need to build a Data & AI Ethics framework which puts people at the heart of their operations and create a culture where privacy is everyone’s responsibility.
Given the continuous rapid change, such frameworks and governance structures should be designed to adapt quickly.
Data privacy is also becoming a key aspect to business expansion, acquisition of solutions/other businesses, divestment and redesign of business processes. This occurs as organisations explore ways to grow organically or inorganically through digitisation, and where consumers have increasing control and choice over their personal data.
Organisations need to consider a range of privacy issues in their business transactions and pursuing growth. These include understanding the original purpose of data collection and whether planned future uses are consistent, and updating data mapping, and developing business processes to improve their ability to respond to the exercise of consumer rights.
Enabling your organisation to effectively respond to attacks.
More notifiable data breaches are being reported to the OAIC year on year (although these are just the breaches that are the subject of the Notifiable Data Breaches scheme and don’t include breaches to employee data or small businesses). While 50-60 percent of breaches are attributed to malicious actors, around a third of breaches are still caused by human error.4 That’s nearly one breach per day due to mistakes (in Australia). Phishing remains the most popular attack vector for malicious actors to deliver malware, which highlights the need for layered defences, including staff training.
Ransomware has become a very popular tool for cybercriminals, with both the number of attacks, and ransom amounts demanded increasing. The attacks don’t just encrypt files, but the attackers also exfiltrate and threaten to release documents if a ransom isn’t paid. This means more potentially notifiable data breaches. Having a skilled team that is well supported by external partnerships and a data breach response playbook is critical to enable organisations to effectively respond to these attacks.
If you are facing a cyber security incident, call our Incident Response Hotline on 1800 316 767
A collaborative, organisation-wide approach to privacy.
KPMG Australia takes a multi-disciplinary approach to supporting our clients though close collaboration across our compliance, legal, risk, technology, cyber, forensic, data, ethics and AI teams. These teams come together to provide our clients with truly holistic privacy assurance and advice every day. We have a tried and tested global privacy methodology so our teams can easily and consistently work as one global team for our clients while providing location-specific experience and knowledge wherever they may have operations.
KPMG Australia has invested in research and development to create tools such as the Data Protection Navigator and new methodologies like our Trustworthy AI model to help our clients stay on top of their privacy risks and also to take full advantage of the opportunities that a well-managed future looking privacy program presents.