The Privacy Series

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

Privacy Impact Assessments 

With the Office of the Australian Privacy Commissioner’s (OAIC) clear demonstration to fully exercise their regulator enforcement powers, businesses should be considering whether and when they need to conduct Privacy Impact Assessments (PIAs) as a risk mitigation strategy. 

This is particularly so as the OAIC identified the failure to conduct a PIA as a key contributing factor in finding a breach of APP 1 in their recent facial recognition determination involving one of Australia’s leading homewares supplies retailers. With the increasing importance and influence a PIA can have on an organisation’s compliant and responsible use of personal information and consumer data, it is vital marketers understand and implement these as necessary in their work.

In this edition of the Privacy Series, we will look at what a PIA is and how to conduct one, as well as why PIAs are important for marketers. 
 

What is a Privacy Impact Assessment?

A PIA is a risk assessment process used by organisations for any work, project or campaign involving the collection, use and handling of personal information. The aim and purpose of a PIA is to firstly identify and subsequently manage and minimise any risks involved in handling personal data.

In short, it is a risk assessment focussed solely on personal information and in this data-driven age, this is increasingly important. Determining if consumers’ privacy is at risk and how to best reduce this risk should be a priority of all organisations. 
 

How to conduct a Privacy Impact Assessment

While it may feel like yet another task to complete on top of an already over extended workload, conducting a PIA where necessary should not be viewed as optional, and will help set up a project or job with best practice data handling procedures from the outset. Here is a step-by-step guide on how to conduct a PIA:

1.    Determine the need for a PIA –the first question to ask is whether the campaign, project or work involves collecting, storing, using or sharing personal information.  If personal information is involved in the project or campaign, then a PIA is recommended. How comprehensive the PIA needs to be will depend on the project or campaign.  Additionally, if new technology is involved, then the recent facial recognition determination suggests that a PIA which assesses the specific risks to PI that arise from the relevant technology in question, should be done.
 

2.    Outline the project – making sure you have a clear understanding of data flow including who collects what, when, where and how, is essential here. Provide an outline of what the project is and its purpose; for example “A six week EOFY campaign designed to bring X% new business, with a sales target of $500k to achieve FY KPIs”. Next, outline what type of personal information is being handled, such as name, email address, location etc. Followed by who will have access to and use the data, and how.  including whether or how the data will be shared.  And finally, where and how it will be stored is also of relevant note.
 

3.    Identify privacy risks – this is a critical section in any PIA should identify the risks involved with how personal consumer data is being collected stored, used or shared, including the potential for any unauthorised access or misuse. It should also determine if the consumer is adequately informed about the collection and use of their data and identify their level of control over this. It is also important to have an understanding of privacy legislation and data-handling regulations to detect if the project is compliant.

By identifying these components, any potential risks should emerge,  therefore enabling your organisation to mitigate those risks before they happen. Such risks can include, but are not limited to, a data breach from poor data security, uninformed/unclear consent, excessive data collection, and non-compliant practices.
 

4.    Assess the risks – with any potential risks now identified, it is important to assess these to understand the likelihood of each risk occurring and the impact it would have. A helpful approach to this is to create a low/medium/high risk matrix.
 

5.    Identify mitigation strategies – regardless if an identified risk is of a low or high value, appropriate risk mitigation strategies to reduce the level of risk are important. Be sure to consider and make note of the most effective ways to reduce risk, such as data minimisation, improving data security, compliance training, amending data handling processes, and so on.
 

6.    Consult stakeholders – depending on the size of the organisation, other stakeholders should be consulted for their review and feedback when conducting a PIA.  Legal departments in particular should be consulted early where their input is required.  Other stakeholders to consider consulting include compliance teams, IT teams, other marketing team colleagues, and project managers. Each stakeholder can provide their own department lens and may help identify and mitigate missed privacy risks. 
 

7.    Finalise the PIA – formalise the above findings in a document and collect the required signatures for who needs to sign off on the PIA. Most importantly, be sure to store/file the PIA as part of compliancy documentation processes to demonstrate commitment to privacy obligations. 
 

8.    Monitor, review and update accordingly – do not make the mistake of treating a PIA as a ‘set and forget’ document. As new projects arise or the next piece of work evolves with new data, new technology, or stakeholders, the PIA will need to be updated accordingly. In doing so, organisations will demonstrate their commitment to compliance and the responsible handling of personal information.  
 

Why Privacy Impact Assessments are important for marketers

In a shifting regulatory landscape where both legislative reforms and consumer demands expect more stringent data handling processes, PIAs are of great importance for marketers and their organisations. This is particularly true for marketers being on the frontline when it comes to data handling and therefore the first line of defence for an organisation in privacy protection. 

From a legislative perspective, a PIA will help to ensure any marketing work is compliant with the relevant laws, which for most is likely Australia’s evolving Privacy Act. A PIA will push marketers to review the tasks through a legislative lens which may be a new process and skill for many. For any skills gaps in compliance competency, it is highly recommended marketers seek further training in this field given the increasing prevalence of privacy legislation in marketing roles. By identifying any privacy and compliance risks from conducting a PIA, marketers will help their organisations avoid data breaches and the financial penalties that follow. 

From a brand perspective, by conducting a PIA an organisation will likely be more transparent about what data is collected from their customers and how it is handled, which improves customer trust. While this is also important from a compliance perspective, it is equally as important for brand building. Organisations that invest the time and energy into effectively safeguarding their customer’s personal information will reap the benefits in the long term. Identifying risks up front will reduce the likelihood of data breaches and the reputational damage that ensues. Committing to addressing consumers’ privacy concerns and upholding privacy best practices will gain their loyalty and trust, and ultimately drive business growth. 

 

For best practice and optimum responsible marketing behaviour, considering the law as the floor and aiming to act above and beyond what is needed for compliance will achieve this. Taking preventative measures, such as conducting PIAs, is an important way to get on the front foot when it comes to favourable data handling processes. For further reading, the OAIC has also issued guidance on PIAs which you can find here. 

Want to sharpen your privacy and compliance skills?
Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.