IDC survey reports on Australian businesses being uncertain about data handling and privacy obligations
August 12, 2014 |
As of today the amendments to the Privacy Act have been in force for 5 months. According to Zdnet’s article Australian businesses uncertain about data handling: IDC notwithstanding that time period, the preceding 14 months between passage and enactment of the amendments and the reasonable media coverage almost 20% of organisations are not aware of the changes and 70% of organisations are still seeking guidance on how to manage data. In a sense that is an improvement on previous analysis as at March 2014 where the estimate of awareness was hovering at 40%. But it is still a concern. The article is based on an IDC study (found here). What is clear from the study is that outside industries that have always had strong regulation of data and privacy considerations, such as banks and other financial institutions the culture of privacy awareness, structure and policy development is still at an immature level of development. If the Privacy Commissioner adopts an effective and assertive approach to regulation there may be a shock to and shudder through the business community, the usual price of complacency.
The article provides:
March 12, 2014 marked the date when changes to the Australian Privacy Act came into effect.
Some of the reforms that were made included giving consumers the power to request access to their personal information held by an organisation or agent; request a correction to their personal information held by an organisation or agency; opt out of receiving direct marketing communications from organisations; ask an organisation where they collected their personal information from; and finding out if their personal information will be sent overseas.
In turn, these reforms required businesses to make changes to their own privacy and compliance policies. But a newly released whitepaper by NTT Communications ICT Solutions and Hitachi Data Systems has revealed that while 80.7 percent of organisations were aware of the changes, over 70 percent of IT decision makers are still seeking third party guidance on how they should manage their data.
The Increasing Value of Data in Australia: Privacy, Security and Compliance study, which was carried out by IDC Australia, showed that more than half of organisations rated themselves as being “good” in handling risk and compliance.
“When we saw what they knew about the privacy changes, most were aware of their requirements when it came to offshore data, breaches, and the impact it could have on their brand, and civil penalties. But they didn’t really know who it affected, which was quite low,” said Sally Parker, IDC Australia cloud and big data research director.
From an industry perspective, the financial and communication sectors are twice as likely than the retail, wholesale, and service industry to have a designated person overseeing the risk and compliance in their company.
Although ironically, it was those in the retail, wholesale, and service industry that rated themselves most highly in terms of maturity level when it comes to handling risk and compliance, versus the financial and communication sectors that rated themselves as less prepared.
When the 150 organisations that were surveyed were asked what actions they have taken since the introduction of the revised Privacy Act, a majority of them made internal changes whether it was bumping up employee education on the topic, or amending their existing guidelines of how they handle data.
But this left 8.3 percent of those surveyed admitting they took no action at all, and according to Parker it was mainly due to complacency or organisations — mainly those in the financial sector — believed the existing processes they had in place was sufficient enough to handle the changes.
Parker also indicated the advent of new technologies, such as cloud, social media, and mobile technologies are dictating the way Australian businesses are handling their data, as they foster a borderless IT environment. Of the organisations surveyed, 93.7 percent shared that public cloud had changed how they approach security and risk.
“What we see here is all of these technologies have impacted people’s approach to security compliance,” she said.
Andrew McGee, Hitachi Data Systems CTO, added that while there is a big focus on privacy laws, there is a disconnect within organisations between the IT departments and knowing where the data lives within an organisations.
“That’s a concern because we have a tendancy to not delete anything because it’s often difficult to identify within an archive each file whether we need to keep or not, and then so we end up just keeping it, so it highlights there is a deficiency in data disposal.”
Another outcome Parker said the survey highlighted was that the value of data is rising, and it’s not just between corporations or government, but for individuals as well, highlighting situations such as the most recent conversations around data retention and the right to be forgotten are generating their interest.
“If you’re an organisation it’s not the time to sit back and wait to act. It’s imperative to act to how consumers behave now for tomorrow, and trust will play a big part of that,” Parker warned.
“Individuals are on the cusp of awareness and the onus is on organisations to protect their data and empower them to have a say in its use.”
[…] IDC survey reports on Australian businesses being uncertain about data handling and privacy obligati… […]