Skip to main content

Most people agree personal privacy deserves protection and warrants government regulation in some contexts, particularly on the internet. Privacy does not exist in a vacuum, however, and regulation comes with costs and trade-offs, particularly regarding the regulation of online data.

The Australian Privacy Act 1988 is not different from other privacy acts in regards to the operational impacts on your organisation.

Here are the top 5 operational impacts of Privacy on your organisation.

1) Financial Impacts: Being compliant with any privacy regulation is not cheap. In most cases, an organisation will lack in-house competence in the privacy domain, leading to costs related to external consultancy. Non-compliance may lead to hefty fines. OAIC is lenient as compared to GDPR when it comes to fines. British Airways had to pay 20 Million pounds for being non-compliant with GDPR. Your organisation might need to upgrade IT infrastructure for ensuring adequate security measures are implemented. Such upgrades/changes in IT will add to privacy costs. You might need to assess your current compliance posture, which requires hiring external help. Data Privacy consultants can cost you anywhere between 1700 AUD to 3000 AUD/Day. Implementing recommendations provided by consultants will add further to the financial impacts of privacy on your organisation.

2) Data Subject Rights: Australian Privacy Principle 3 — a collection of solicited personal information of Australian Privacy Act 1988 mandates the consent of Data Subject/Individual before or at the time of collecting the personal information. The consent must be “freely given, specific, informed and unambiguous.” Consent must be specific to the processing operations and the entity could not request open-ended or blanket consent to cover future processing. An organisation needs to maintain a consent register to understand who gave consent to what. If the purpose or use of data has changed then the individual must be informed and new consent is required. Any change to the purpose of collection will lead to acquiring new consent from the data subjects. As a data controller or data processor, you might need to respond to data subject rights. This requires comprehensive systems and processes which can be heavy on your resources. 

Ultimately, leading to substantial impacts on your organisation’s operations.

3) Cross-border Data Transfers: Australian Privacy Act 1988 permits personal data transfers outside of Australia subject to compliance with set conditions, including conditions for onward transfer.

However, maintain data flows and data mapping becomes more complex with cross border data transfers. In addition to Privacy Impact Assessments (PIA), your organisation might need Transfer Impact Assessments(TIAs).

The third-party risk assessment must be performed to ensure that data transfer outside Australia is treated with the same standards as if data was in Australia.

These additional processes require resources, systems and solutions. International data transfers will require additional operational costs and will add a huge workload for your organisation’s Chief Information Officer(CIO).

4) Data Protection Officer: Although it is not mandatory for hiring a Data Protection Officer, it is highly recommended to hire one. A data protection officer is an independent, company leadership official with expertise in data privacy. The primary responsibility of a data protection officer (DPO) is to ensure the organisation processes the personal data of staff, customers, providers, and any other individuals, which complies with the correct data protection rules. Data protection officers have to regularly carry out data security audits and record all data processing conducted by the business, which they must make public upon request.

A DPO will play a significant role in governing your organisation’s operations, as he might require new ways of working and handling data. 

If your organisation fall under the small, or mid-size category, then you might need to consider an external DPO or delegate duties to a data privacy consulting company like Rabbon.

5) Privacy Impact Assessments: PIAs are not obligated for all data handling tasks/projects, but it is recommended to perform PIA to ensure data is handled correctly. Rabbon has developed a DIY PIA tool which is free to download here.

PIA are very complex tasks and require multiple stakeholders to complete the activity.PIAs can get even more complex if data is of a sensitive category like medical data or if data is transfer outside Australia.

PIA can impose a significant impact on your organisation. Additionally, PIA requires detailed knowledge of the Australian Privacy Act 1988 and state privacy acts. Currently, many organisations lack competence in privacy acts leading to non-compliance.

Need help staying on top of data privacy? Rabbon is a cybersecurity consulting firm offering services to various organisations to reduce their cyber risks and more. If you are looking for Data Privacy Consultants, reach out to us today!

Cybersecurity is what we do

Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation free consultation.

Phone : +61 2 80513207

Email: [email protected]