Privacy by Design: CyberCX Recognises Leaders in the Field
CyberCX has identified the Australian companies leading among their peers on privacy. As Australia’s regulatory and policy settings on privacy tighten, leadership on privacy is increasingly important. It’s also the right thing to do. This post introduces CyberCX’s inaugural Privacy by Design awards, which recognises Australian brands following the global Privacy by Design principles. These principles transcend time, geography and the complexities inherent in fast-changing technology and data processing systems.
At a conference in 2019, Tim Cook, the leader of arguably the most successful company of all time, made his views on privacy clear. Privacy should not be an afterthought, but instead baked into the development process of every new product. Privacy, then, is far from dead. If a CEO wants to emulate the success of Apple, she would be wise to take note of the importance that Privacy by Design plays in that success.
Why Design for Privacy?
One of the great challenges for organisations and those charged with managing privacy risk is the complex web of privacy requirements. Compliance obligations vary from territory to territory, and sometimes even between industries within a territory. The Privacy by Design Principles set a globally recognised best practice guide that can help harmonise standards globally.
The Principles transcend time and the complexities that have become standard in technology and data processing. Adhering to the Principles will go a long way to ensuring compliance. More important, and from a human rights perspective, the Principles can help organisations ensure that data is processed in a fair and ethical way.
Consider principle 2. Having privacy as a default setting, rather than something a user must actually choose, will guide marketers, solution architects and data scientists. It’s not proscriptive and is technology and process neutral. The principle can flex with the standard of the day.
The Principles were developed in Canada in the 1990s by Dr Ann Cavoukian, then Ontario’s Information and Privacy Commissioner. As described by Dr Cavoukian, the first iteration was developed at home from her kitchen table. From humble origins, the term ‘Privacy by Design’ is now part of the vernacular of privacy professionals and integral to product development strategies in mature organisations worldwide. It’s also key to guidance from regulators around the world. It’s even referenced and embodied in the most famous and discussed privacy law in history: the European Union’s General Data Protection Regulation (GDPR).
How the Principles can future proof Australian organisations
The Australian Government is currently considering the most significant reforms to how organisations collect, process and use personal information since 2000, when the provisions of the Privacy Act were extended to cover non-government entities.
Major changes on the table include a civil action for privacy breaches, increased powers for the Privacy Commissioner and a significant jump in maximum penalties and fines. Think GDPR level compliance requirements and regulatory risk.
But even beyond compliance, good privacy practices make business sense. They can decrease organisations’ cyber security risk footprint. They also help organisations to obtain and maintain the social licence to process personal information and to live up to customer expectations. This minimises reputational harm in the event of a breach and creates opportunities for innovation with personal information.
Introducing the CyberCX Privacy by Design Awards
Given that the Privacy by Design principles are one of the closest things we have to universal guardrails for managing privacy, CyberCX decided these would be an ideal benchmark for assessing the publicly observable practices of Australian consumer brands.
With over 100 individual metrics aligning to one or more of the seven principles, our team of researchers looked at the main digital interfaces these brands have with their customers: their website platforms. We decided to focus on websites as this is generally companies’ most open interface with consumers, and least regulated by third parties. On the other hand, apps are increasingly constrained by market-leading privacy protections built into operating systems – many of them thanks to Apple App Store standards and the privacy leadership of the likes of Tim Cook.
Our thinking was: how a brand behaves in this less regulated or controlled channel is more telling of their attitude to privacy. Privacy by Design in this channel is a choice, rather than a requirement in many cases. How brands get consent to market, track and collect consumer information has been a key focus.
We are still yet to finalise our research, but preliminary data suggests a significant variation in the privacy attributes of major brands’ websites. We can’t wait to share our findings and to recognise brands that have gone the extra mile in demonstrating a Privacy by Design philosophy.