Working in sync to protect privacy

As companies in Australia and New Zealand continue to deal with the aftermath and apprehension instilled by the complex cyber attacks of 2022, enterprise privacy will remain one of the most discussed and prioritised topics throughout 2023.

We know that violations of customer privacy erode trust and have far-reaching consequences on an organisation beyond purely financial, but rapidly changing government legislation is upping the ante for security experts, who are finding it increasingly difficult to ascertain if their organisation is meeting privacy regulations, and this could result in significant fines.

A recent global survey conducted by digital trust leader ISACA among IT, security and privacy professionals, Privacy in Practice, indicated less than half of respondents in Australia and New Zealand found it easy to understand their organisation’s privacy obligations. In addition, only 35% report being highly confident in the ability of their organisation’s privacy teams to ensure data privacy and achieve compliance with new privacy laws and regulations.

Globally, almost a quarter of survey respondents said it is difficult or very difficult to identify and understand their organisation’s privacy obligations.

This is not surprising given the myriad privacy laws and regulations in effect, and the frequency of changes and updates to these.

In Australia, new legislation called the Privacy Legislation Amendment Bill 2022 was introduced into the Australian Parliament on 26 October 2022 and passed both Houses of Parliament on 28 November 2022. The New Australian Privacy Laws enact significant changes to the Australian Privacy Act 1988.

So how can a security professional gain confidence and keep on top of changing legislation — in Australia and globally?

Teamwork. Teamwork. Teamwork.

In the majority of cases privacy practitioners can be classified into one of two groups — legal/compliance who have knowledge of the privacy laws and regulations that apply to an enterprise; or technical, who have the expertise to apply controls that help preserve privacy and achieve compliance.

Security and privacy professionals must join at the hip and work together to achieve optimum privacy outcomes for their organisation. They cannot — and must not — work siloed.

On too many occasions I have seen first-hand compliance teams working independently of technical professionals, and vice versa. In Australia and New Zealand 46% of survey respondents said a barrier to implementing a privacy program is a lack of clarity on the mandate, roles and responsibilities. Meanwhile, 42% reported a lack of executive support when it comes to implementing a privacy program.

I see this situation played out in organisations across the Tasman and, again, it reinforces the need for a unified front by all areas of the privacy team.

Furthermore, only 31% of privacy professionals say their privacy budget is appropriately funded. The Board and executive team are far more likely to understand the enormity and importance of privacy policy, and fund this accordingly when all those involved in implementing it are working in tandem.

A shared approach also means shared responsibility. As government legislation tightens and monetary fines are mandated, technical teams need the assurance of their compliance colleagues, and vice versa. An optimal privacy culture relies on trust by all facets of the privacy team, and when the compliance and technical teams are meeting and updating each other regularly, confidence across all levels of the organisation elevates. And this flows out to consumer and stakeholder confidence.

Our ultimate goal is to achieve Privacy by Design, which means ensuring good privacy practices are built into your organisation’s decision-making and digital transformation from the outset.

And what lies at the heart of Privacy by Design is a sync among the entire privacy team.

The best privacy policies can be written but if the technical team does not understand why they are necessary, they are just words. Similarly, high-level data protection tactics can be installed but if they don’t help the company achieve compliance, money has not been invested appropriately.

Developing Privacy by Design is certainly an investment that will return enormous benefits in the form of consumer trust, reputational respect and financial security — but it starts with teamwork and confidence from within.

To download a copy of the Privacy in Practice 2023 survey report, click here.

Jo Stewart-Rattray, CISA, CRISC, CISM, CGEIT is a member of the Information Security Advisory Group, ISACA, Vice President — Community Boards, Australian Computer Society and Vice President, National Rural Women’s Coalition. She has more than 25 years of experience in the security industry. She consults on risk and technology issues with a particular emphasis on governance and IT security in businesses as the director of technology and security assurance with BRM Advisory. Stewart-Rattray regularly provides strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing, tertiary education, retail and government sectors.

Image credit: iStock.com/Vladimir_Timofeev