For the first time in over 10 years there are changes to the Australian Privacy Act that come into effect this Wednesday 12 March, 2014. 13 new Australian Privacy Principles (APPS) will apply See here for the full guidelines.
These changes have been well publicized with the legislation having been passed for quite some time. But with 2 days to go, there’s been lots more publicity of the requirements and it’s a timely reminder to focus on how you use and store your customer data.
The key changes to the APPS include:
- A new system of privacy principles, which will significantly affect how private and public sector entities collect and handle personal information;
- Enhanced enforcement mechanisms; and
- For the first time, the introduction of a civil penalty regime for breaches of privacy.
Australian Direct Marketing Association (ADMA) CEO Jodie Sangster summarises the changes in this short video http://youtu.be/WOVOpozxJ6o
WHY THE NEED FOR CHANGE?
Since the original privacy legislation was drafted, there has been a plethora of business and technology changes and this has led to the need to new principles to be put in place to protect consumers rights and make sure there’s transparency on how their data is being used as well as where it’s stored and shared. Your business may well be prepared but if you’re not, it’s worth making this a business priority as penalties of a breach can be up to $1.7 million per infringement for corporates and $340,000 for individual entities.
WHO IS IMPACTED?
Whilst the initial compliance focus is sure to be on large corporate entities (the legislation states that this applies to organisations with over $3m turnover), these new principles are something businesses of all size need to take into account and focus on.
Specifically you need to be compliant if you have a turn over of over $3million, but if your are collecting customer data, or have data going overseas, there are also obligations to comply with.
There are implications for the way that we direct market our products and services to clients and whilst we’re no legal experts (and do recommend seeking professional advice on this matter), there are lots of good sources of information for you to read to make sure your business has a greater understanding of your obligations.
The Australian Direct Marketing Association (ADMA) has some great material to reference
http://www.adma.com.au/comply/spotlight-on-privacy-2014/ and there’s been lots of press mentions of how to comply over the last week (e.g. Smart Company article)
Some things you should immediately consider:
- Conduct a compliance audit This is not something that just falls on the job list for your marketing department. As an organization you need to think through all the touch points that you collect customer data and how the data is stored. This should be something management looks at and involves multiple functional departments.
- Review your current privacy policy – it may be that you need to seek legal advice to update this to make sure that you are complying and your existing policy is up to date. Have you updated your policy to refer to how data is treated with respect to social media, what about giving permission to retarget ads based on internet behavior? There’s lots of changes and in many cases, exiting privacy policies have not been updated for a considerable amount of time and are outdated.
- Train your staff – consumers can ask about how their information is used at any time. It’s worth making sure that your key personnel can answer any questions about the privacy of their data and how it is treated.
- Think about your welcome emails – if you have a welcome email when people sign up to communications it’s good practice to be making reference to your privacy policy at the bottom so you’re clear upfront how the data is being used
- Data breach – do you have a plan for if a breach was to occur? Worth re-evaluating your IT security to make sure you have adequate systems in place, particularly if data is stored in a cloud environment.
- Think about third party agreements – do you use a mail house or share data with another party for direct marketing purposes? It’s time to mitigate any risk and ensure that you have appropriate contracts in place.
Privacy will no doubt be in the spotlight for the next few months, so time to get proactive and ensure your organization is using best practice.
Note – You should seek legal advice regarding your own organisational situation. The article above is designed to raise awareness of your obligations so you can investigate your individual circumstances further.