It is going to be a very long few months for Optus and one they would probably prefer to forget. 9.7 million customers woke up on Thursday the 22nd of September to news that their data had been leaked and the nightmare had only just begun for Optus.
Cybersecurity attacks are not new and in fact they are only increasing. In FY21 the number of reported business and personal cyber related crimes in Australia reached 67,500 – up 13% the prior year costing businesses and individuals A$33 billion.
Whilst cyber-security is once again thrust into the spotlight, so too is Australian privacy law and if the press is anything to go by, we are about to see a wave of change thrust upon brands.
Signs the government is about to get serious on data privacy…
In October 2021, the government released its long-awaited recommendation paper, outlining a raft of potential measures that would see the Australian privacy act under-go its biggest overhaul in some time. The Australian Privacy Act was first legislated before the digital age was upon us, so there was little surprise that the act was due to undergo significant change. At the time 60+ changes were proposed, ranging from widening the definition of what is considered to be personal information to evolving the definition of what is defined as direct marketing to include online advertising. Recommendations also included the right for consumers to be able to request for their data to be deleted. The government called for submissions to the discussion paper from all parts of the community and business and since that closed in January 2022, there has been radio silence on proposed changes. That was of course until the Optus breach happened last month.
In the days following the hack, the Prime Minister himself has become very vocal about the importance of changing privacy laws. The Attorney General Mark Dreyfus has also weighed in questioning why Optus kept personal document identification numbers for years – even after many customers had left Optus. Their comments demonstrate that we can expect that much change is coming.
Data retention and the right for consumers to delete data firmly in focus
When the Optus hack became public knowledge, we quickly learnt that Optus was holding very sensitive information on its customers. When applying for a phone, individuals must provide highly sensitive forms of personal information including their drivers’ license, passport details etc. The hack had exposed that Optus had retained this data going back at least 6 years, and they had suggested they had to by law, which has since been refuted by the Attorney General himself. Adequate data retention policies and demonstration of compliance of, are already part of the Australian Privacy Act but what the Optus situation has exposed is that organisations (and Optus will not be the only one) are at best apathetic to adhering to data retention policy given the commercial value and importance of data to an organisation. Dreyfus, in a recent interview, said
“Companies appear to be hoarding troves of customer data for commercial benefit rather than simply to comply with government regulations."
In light of these comments, it is fair to say that companies are set to be forced to cut back the vast amounts of sensitive data they retain about their customers under changes to privacy laws being considered by the government in response to the Optus cyberattack.
One of the other controversial changes that is likely to receive increased attention is the right for consumers to request for their data to be erased. In a 2021 privacy study by Deloitte's, it was found that 79% of Australians want the right to erase their data. This means consumer sentiment to erase was high even before the Optus hack. But brands including Optus are not exactly enthralled by the prospect. With legacy systems and disparate data sources, a potential shift in legislation which allows consumers to be able to request for their data to be erased could be costly for organisations. In response to the Privacy Act discussion paper, Optus had repeatedly vocalised its opposition to the right for consumers to request their data be destroyed, with the telco arguing there were “significant hurdles” to implementing such a system and it would come at “significant cost”. The dangerous combination of storing highly sensitive personal information and consumers having no right to erase has created a compelling reason to press ahead with changes enabling consumers the right to request to delete their data which puts greater control back into the hands of consumers. If Dreyfus comments are anything to go by – it looks like we may be headed in that direction “We need to have businesses appreciate very, very firmly that Australians’ personal information belongs to Australians.”
It is a matter of data ethics and reputation not compliance
In our Marketing State of Play Study in 2022, we sought to understand how brands are preparing for the potential changes being bought about by the introduction of the Online Privacy Code and the pending changes to the Privacy Act. Our study found that 28% of brands were not actively making changes/ focused on evolving in the privacy and consent space and a further 40% had begun some exploratory work meaning nothing was actively in train. Too often brands are not proactively adapting to a changing environment, instead they are reacting to the change around them.
What the Optus hack has taught us is that brand reputation and data privacy is inextricably linked. In a digital world, strong data privacy compliance is hygiene, but it is brands who adopt a more ethical approach that goes beyond compliance that are likely to win the trust of their customers. For brands that are yet to lean into the privacy challenge there are a number of initial steps you should take in order to be ready for the change that is upon us. These include the below;
1) Undertake an audit to understand your today state. What we often witness within organisations is a belief that privacy is well managed – but little is really understood about what it takes to be compliant with even todays legislation. Undertaking an audit or self-assessment of where your organisation is at, will help to determine the size of the challenge ahead of you and where the biggest risks lie
2) Stop treating privacy like the legal teams’ issue. Whilst the legal team understand the act and often write the policy, it is those in the business that ensure that the brand remains compliant. This means leaders and their teams must have a solid grasp on privacy principles and look to ensure compliance day to day.
3) Move towards an ethical approach to data management. Whilst compliance is important, respecting your customers and doing what is right is far more powerful. Having a clear set of ethics which guides and governs how you as a brand treat customers data and utilise it, can help shift the team from simply thinking about monetisation for commercial benefit to a more balanced approach which benefits both the organisations and respects the customer.
Need help to evolve your data strategy to better balance privacy and the needs of the business. Find out more about our customer data strategy services here.