However, she added, there is “no denying” the major changes of the last five years, most notably the introduction of the Australian Notifiable Data Breaches scheme and the European Union’s General Data Protection Regulation (GDPR).

“2018 onwards has been one of the most significant periods of privacy law development that we’ve witnessed since the Privacy Act was amended to extend to many organisations in the private sector 20 years ago,” she proclaimed.

Challenges

When asked about the issues arising from such changes, both for lawyers and their clients, Ms Birch said that the introduction of GDPR and the mandatory reporting requirements for eligible data breaches in Australia “really highlighted” to organisations where their privacy compliance gaps were, and triggered wholesale internal reviews of company data protection practices.

“As lawyers advising in this space, we’ve seen how crucial it is that data protection is embedded across all of a business’ internal systems and processes. Organisations have quickly realised that in order to rapidly respond to the changing privacy regulatory landscape they need not only a robust suite of policy documents (including a comprehensive privacy policy and an effective data breach response plan), but also an internal privacy management framework to ensure that their privacy compliance policies and procedures are embedded across the organisation,” she outlined.

“Stricter privacy regulation has also meant that in-house legal teams need to be acutely aware of all of the agreements that other business units (such as HR, marketing or IT departments) are entering into that may involve a third party handling their organisation’s personal data.

“Operationalising privacy compliance across the organisation, to ensure buy-in from key internal stakeholders from other departments that handle personal data, is critical.”

VIEW ALL

Opportunities

On the flip side, however, there are emerging opportunities for lawyers in this space, especially given the myriad marketplace changes in the wake of the global pandemic, Ms Birch submitted.

“So many companies (both law firms and their clients) have seen a huge impact to their business and revenue as a result of the pandemic, which often leads to an increased focus on marketing strategies that involve the use of personal data,” she said.

“In addition, the phasing out of third-party cookies by web browsers means that businesses will be more heavily reliant on their own first party data. Clients who will be most strongly positioned to use their customer data for marketing will be those who have been open and transparent with their customers about how their personal data will be used.”

Getting this purpose string right from the outset, Ms Birch went on, “allows clients greater flexibility and builds consumer trust”.

“Likewise, trust is often touted as the ‘the ultimate brand differentiator’ by marketers, which means that organisations may have the opportunity to boost their position in a crowded marketplace by being visibly proactive on privacy,” she said.

Responding to change

In response to such evolutions, Ms Birch advised, it is “vital” that lawyers and their clients are proactive about managing privacy risks and embedding privacy compliance – “right from the initial point of data collection”, she insisted.

“Whenever businesses look at introducing a new initiative, system or product that involves handling personal information, lawyers should advise them on potential privacy impacts and encourage the adoption of a ‘Privacy by design’ approach to ensure privacy compliance solutions are built in from the outset, and not bolted-on retrospectively (which can be a costly exercise),” she explained.

Excitement ahead

Lawyers who work in the data protection space find, Ms Birch outlined, that privacy compliance advice often intersects with “some of the most complex and interesting technology developments that are happening globally”, including but not limited to AI, software development and biometrics.

“Ensuring that a ‘Privacy by design’ approach is taken in the development, and deployment, of new technologies is so important, not only to avoid possible ‘function creep’ (where data is collected for one purpose but then used for another, unanticipated purpose), but also to build consumer trust in the technology,” she detailed.

“As we saw in the early stages of the COVID-19 pandemic, with the highly criticised COVIDsafe App, community trust can be a vital element in how effective technology is, and how widely it is adopted.”

Privacy law, Ms Birch concluded, continues to be a growth area in the regulatory compliance space.

“Privacy compliance is an important issue for in-house teams and boards, even within companies who don’t appear to handle much customer data,” she said.