Fifth Dimension Consulting warns organisations to prepare for significant impact of changes to Australian privacy laws
Great Privacy Awakening: Changes to Australian privacy laws to significantly disrupt how organisations manage their marketing and relationship with customers
“The proposed changes to the Privacy Act are some of the biggest reforms we have ever seen in the area of consumer privacy. They aim to put the power back into the hands of consumers to decide where and how their personal data is used,” Spooner said.
“One of the key themes of the new legislation is that it aims to better inform consumers of their rights around how their personal information and consumption behaviour is collected and used by organisations, from small businesses through to major companies and government departments.
“The scope of the new realms of augmented privacy control extends into the area of anonymised information and consumer cohort trends, which effectively eliminates the ability for businesses to engage in the manipulation and interrogation of big data to create granular insights and predictive modelling without the receipt of specific consumer approval.”
Lyndall Spooner is the founder and CEO of Australian strategic research3 and consulting agency, Fifth Dimension1 and leading authority on brand trust. Fifth Dimension’s groundbreaking Trust Matrix centres on the premise that trust in brands has its foundations laid in two traits – the capability of the brand to do what it promises and the character of the brand to operate in an honest and ethical manner. Fail on both trust traits and brands risk losing a customer they have let down for life and weakening brand growth due to the legacy of a proven poor reputation. Fifth Dimension works with many of the globe’s leading brands including top tier financial institutions.
Spooner explains there are three angles to consider in relation to the impending privacy law changes.
First, businesses will have to conduct a detailed internal review of all the ways in which they are using consumer data for sales and marketing purposes and confirm they have permission to use the data they have collected for each of those purposes.
“Some leadership teams may not be completely aware of just how much data is being used across their business for a multitude of purposes, including the requirement of data for streamlining digital interactions and services,” Spooner said.
Second, as businesses undertaking that review and seek informed consent from their customers, consumers are going to be made brutally aware of just how much of their data has been used by companies, including having their data sold to third parties.
“Consumers are not completely ignorant that their data is used to market to them, but they will be surprised just how much of their data is being used to influence their choices and to provide seamless digital interactions and that could impact their perceptions of the integrity of the businesses they deal with,” Spooner explained.
Third, if around one in every five consumers refuse to allow companies to use their data beyond what is necessary which is a realistic and conservative estimate, this could result in a significant decline in the effectiveness of automated sales and marketing activities and a greater need for businesses to go back to the fundamentals of marketing to reach potential audiences.
“The new legislation will address the clarity of collection notices and consent requests, to improve consumer comprehension. There will also be an enhanced legislative definition of consent, which will require that consent be voluntary, informed, current, specific and unambiguous,” Spooner said.
“Very few companies have started to update their consent requests. This won’t be a single statement asking for broad consent with the option to go and read an even long set of terms and conditions as has been the case in the past. Consumers are likely to be asked to consent to 5, 10, 15 or more specific uses of their data, and potentially be continually asked to update their consent over time.
“The reality is that many Australian businesses are not ready and nor do they understand what they need to be ready for, or naively think they already have captured consent from their customers. The new laws will apply to all businesses including small businesses. This is a fundamental shift.”
The proposed changes to Australian privacy legislation will have a profound impact on how organisations collect and use data for marketing purposes.
Expanded definition of personal information equals reduced capacity to synthesise and customise
The new laws will expand the definition of personal information which could include technical data such as IP addresses and inferred data such as behavioural predictions which means that more data types used in marketing will be considered personal information. This increases the regulatory burden on businesses to ensure compliance.
“It also restricts what brands can do with consumer information without their explicit approval. With the removal of cookies, businesses have turned to insights to interrogate and model how consumers might behave in deliver more meaningful and relevant offers,” Spooner said.
“Without consumer approval, collecting and using any type of consumer information even in an anonymised form into a data set to create patterns, insights and other forms of modelling including predictive outcomes, will not be tolerated and serious fines can be imposed.
“The responsibilities on businesses to obtain, clear, informed and specific consent for collecting and using personal data for marketing, will be significant. Marketing practices must be transparent, with clear disclosures about how personal data will be used. Consent for data usage, especially for high privacy risk activities, must be clearly stated.”
Is the use of personal information really warranted
The new legislation will also likely add a fair and reasonable use test to determine necessity and proportionality.
Marketing activities will need to pass a ‘fair and reasonable’ test, ensuring that data collection and usage are necessary and proportionate to the marketing purpose. Businesses will need to balance their data needs against the privacy expectations and potential impacts on individuals.
“Consumers will have the right to object to their data being used for marketing purposes. Even if approval is given, businesses must provide a mechanism for people to easily opt-out of marketing communications. They will even have a right to erasure. Consumers can request the deletion of their personal data. Business’ databases, whether they be in house or via a third party, will need to be capable of promptly erasing personal information upon request, complicating long-term data retention strategies,” Spooner said.
Sophisticated record keeping, documentation and security
“In the new world of privacy, businesses must now pay even more attention to whose information is being used and how than what benefit they can extract from utilising it,” Spooner said.
“This is a fundamental shift and one which is still not being grasped by businesses. Businesses must keep detailed records of the purposes for which personal data is collected and used. This includes documenting any secondary purposes, which is common in marketing where data might be repurposed for different campaigns.
“Organisational systems are not built for this level of transparency and consumer information journey. They have been devised to manage and track consumer engagement, not information use. Broad, nebulous and all-encompassing statements of information use are no longer appropriate and nor will they succeed in the new sphere of privacy management.”
Serious consequences for businesses
“The new privacy legislation catapults us into a new realm of risk and challenges, particularly so in the sphere of security and data handling,” Spooner said.
“Importantly these new changes will likely enforce businesses to delete consumer data they no longer need to hold which will reduce the chances of that data being hacked. Consumers should not be concerned data they have given a company for a specific purpose more than a decade ago still exists on a database somewhere.”
The MediSecure cyber attack in May this year saw the data of over 12.9 million Australian’s stolen, and the company now in administration.
“Concerningly, MediSecure said in a statement at the time that it was unable to identify the specific impacted individuals due to the complexity of the data set,” Spooner said.
“Many companies are going to have to review how they store data and update their core systems to ensure consumer data can be clearly updated and deleted as required, and this will come at a significant cost for companies on legacy systems.
“ISO27001 is considered the gold standard in information security and as one of the few organisations in our sector world-wide with the accreditation our view is that government departments and ASX listed companies should only be allowed to engage service providers with this level of accreditation to ensure the highest levels of data security integrity in this country.”
Spooner explained that the new privacy laws will help us to move towards this goal. The new laws will require improved security measures. Businesses will need to ensure that personal data is securely stored and protected against breaches. This may involve adopting advanced cybersecurity measures and conducting regular security assessments.
“If marketing data is transferred overseas, businesses must ensure compliance with new regulations including using standard contractual clauses or transferring data only to whitelisted jurisdictions,” Spooner said.
“In case of a data breach affecting marketing data, businesses must report to the OAIC within 72 hours, necessitating quick response and mitigation plans. Increased penalties for non-compliance mean that breaches of privacy regulations, including improper use of data for marketing, can result in significant fines. Enhanced powers for the OAIC mean more rigorous enforcement and potential audits of marketing practices.”
Spooner emphasised that programs most likely to be hit hard by the new privacy laws include loyalty schemes which have become a key weapon in the retail sector’s armoury of marketing tools and tactics.
“Businesses will need to completely reengineer how they undertake and manage core activities such as marketing, customer service and engagement, offer development and delivery, collaborations and partnerships and data management,” Spooner said.
“The impending changes are going to have a far-reaching impact on many businesses and the concerning issue is that many don’t even realise it.”
Fifth Dimension’s Trust Model
Fifth Dimension’s groundbreaking trust model centres on the premise that trust in brands has its foundations laid in two traits – the capability of the brand to do what it promises and the character of the brand to operate in an honest and ethical manner.
Fail on both trust traits and brands risk losing a customer they have let down for life and weakening brand growth due to the legacy of a proven poor reputation.
About Fifth Dimension Consulting
Fifth Dimension has been recognised for its groundbreaking work receiving multiple awards including: three prestigious 2021 FORSTA AIR (Achievement in Insight and Research) Awards including Judges Choice, a 2021 Confirmit ACE (Achievement in Customer Excellence) Award in the Innovation category, and a 2020 Confirmit AIR Insight and Research Award. In addition, Fifth Dimension was included in the highly respected 2020 GreenBook Research Industry Trends (GRIT) Top 25 Strategic Consultancies, as one of the world’s most innovative companies to make the list. Since its launch in 2006, Fifth Dimension’s four pillars of expertise have continued to evolve new capabilities to embrace uncertainty and drive the development of market leading approaches: strategy, experience, research and technology.
www.fifthdimension.consulting
Tess Sanders Lazarus
Invigorate PR - Global PR for entrepreneurs and business
tess@invigorate.com.au
Visit us on social media:
Facebook
LinkedIn
Other
1 https://fifthdimension.consulting/
2 https://www.linkedin.com/in/lyndall-spooner-51a69b20/
3 https://www.linkedin.com/company/fifth-dimension-research-and-consulting/