Unless you have spent the last six months stranded on a deserted island, it is highly probable that you have read that many countries around the world are working to define ways to best manage “private information” in the digital age. In Australia, the revised Privacy Amendment Act will come into effect in March 2014. 

The new act will, as this author has recently read in the ether, “put some teeth in the toothless tiger”. In other words, it will give Timothy Pilgrim, the Australian Privacy Commissioner, more powers to enforce the 13 Privacy Principles that he and his team will be mandating. 

Along with the changes, his powers will also be augmented in the areas of: investigations, determinations, enforceable undertakings, and civil penalties.  These changes will better protect Australians, as well as foreigners whose data is stored in Australia, from inappropriate disclosure.

These changes, in combination with the general public attitude, have resulted in both public and private organisations addressing the new Privacy Amendment Act with vigour and enthusiasm.

So begins the challenge of not just addressing the topics in the Privacy Amendment Act, but improving how your organisation will manage the risks associated with the collection, use, and retention of private information. While every organisation has its own unique needs and challenges, there are several steps that privacy professionals can take to start implementing a framework to address the new Privacy Amendment Act initiatives. 

Understand the business risks

Despite this new interest in privacy, it in and of itself is unlikely to drive the business. In an effort to increase your visibility, privacy professionals need to be actively involved with their company’s operation lifecycles and integrate good privacy strategies. 

One of the highest risk areas relating to the operation of secure, compliant privacy environments is how to manage private information effectively. Most organisations, despite having great business processes, have trouble knowing where private information is stored and whether it is appropriately classified, let alone who has access to it. 

Understand your “information” risks

One of the biggest challenges most organisations face is understanding where its data resides and who has access to it. More often than not, there is a disconnect between “the business” and “IT” as they both speak very different languages. Privacy professionals, as well as other management functions, should have a clear understanding of where existing information is located, as well as where future data is expected to reside.

To better understand these risks, organisations should evaluate their current environment by scanning existing data to determine where sensitive data lives, and better gauge just how much risk they are exposed to. These risks should be well documented, and privacy professionals should be proactive in keeping their organization’s decision makers informed of these risks.

Establish governance

Once you have an understanding of the risks surrounding private (or other sensitive) data, privacy professionals should work with all key organisational stakeholders to review policies and procedures. These policies and procedures should be designed to help ensure that data is always in the right place, appropriately classified, and that only authorized people have access to it. These processes should be automated where possible to lower complexity and increase efficiency. To ensure ongoing conformance, these processes should be augmented with associated roles, responsibilities, and expected reporting requirements.

By establishing a clear governance strategy, privacy professionals will be able to outline the expectations in which to benchmark compliance. This will enable the organisation to state what they are going to do and, through the automated process, be able to prove it. 

Convert risk into funded initiatives

Once the aforementioned steps have been implemented, privacy professionals will be in an optimal position to leverage the governance model and transform their initiatives into funded efforts. It is critical to keep senior management informed of the risks to which they are exposed. This process should be a very positive dialog. When collaborating with senior management, privacy professionals will be providing them with critical insight that will put them in a better position to understand the value that the privacy professional brings, and just how important it is to support the initiatives that must be addressed. 

Navigating through the implementation of sound processes that meet any Privacy Amendment Act requirement can be a tricky, long and colourful journey. By understanding how and where data is stored and accessed within the above (and other) platforms, organisations place themselves in a strong position to meet the challenges that “new world digital regulations”, as well as public expectations, are placing on them.

Bacchus Van Loo is a Compliance Solutions Specialist at AvePoint