Privacy law continues to be a growth area in the regulatory compliance space, says Kara Birch, with evolutions ramping up in the age of coronavirus.
In conversation with Lawyers Weekly, Peripheral Blue Legal director of policy and compliance Kara Birch (pictured) reflected that Australia is “currently in a bit of a holding pattern” with privacy law, as professionals in this space await possible amendments to privacy requirements that may flow out of the federal government’s review of the Privacy Act.
However, she added, there is “no denying” the major changes of the last five years, most notably the introduction of the Australian Notifiable Data Breaches scheme and the European Union’s General Data Protection Regulation (GDPR).
“2018 onwards has been one of the most significant periods of privacy law development that we’ve witnessed since the Privacy Act was amended to extend to many organisations in the private sector 20 years ago,” she proclaimed.
When asked about the issues arising from such changes, both for lawyers and their clients, Ms Birch said that the introduction of GDPR and the mandatory reporting requirements for eligible data breaches in Australia “really highlighted” to organisations where their privacy compliance gaps were, and triggered wholesale internal reviews of company data protection practices.
“Stricter privacy regulation has also meant that in-house legal teams need to be acutely aware of all of the agreements that other business units (such as HR, marketing or IT departments) are entering into that may involve a third party handling their organisation’s personal data.
“Operationalising privacy compliance across the organisation, to ensure buy-in from key internal stakeholders from other departments that handle personal data, is critical.”
On the flip side, however, there are emerging opportunities for lawyers in this space, especially given the myriad marketplace changes in the wake of the global pandemic, Ms Birch submitted.
“So many companies (both law firms and their clients) have seen a huge impact to their business and revenue as a result of the pandemic, which often leads to an increased focus on marketing strategies that involve the use of personal data,” she said.
“In addition, the phasing out of third-party cookies by web browsers means that businesses will be more heavily reliant on their own first party data. Clients who will be most strongly positioned to use their customer data for marketing will be those who have been open and transparent with their customers about how their personal data will be used.”
Getting this purpose string right from the outset, Ms Birch went on, “allows clients greater flexibility and builds consumer trust”.
“Likewise, trust is often touted as the ‘the ultimate brand differentiator’ by marketers, which means that organisations may have the opportunity to boost their position in a crowded marketplace by being visibly proactive on privacy,” she said.
Responding to change
In response to such evolutions, Ms Birch advised, it is “vital” that lawyers and their clients are proactive about managing privacy risks and embedding privacy compliance – “right from the initial point of data collection”, she insisted.
“Whenever businesses look at introducing a new initiative, system or product that involves handling personal information, lawyers should advise them on potential privacy impacts and encourage the adoption of a ‘Privacy by design’ approach to ensure privacy compliance solutions are built in from the outset, and not bolted-on retrospectively (which can be a costly exercise),” she explained.
Lawyers who work in the data protection space find, Ms Birch outlined, that privacy compliance advice often intersects with “some of the most complex and interesting technology developments that are happening globally”, including but not limited to AI, software development and biometrics.
“Ensuring that a ‘Privacy by design’ approach is taken in the development, and deployment, of new technologies is so important, not only to avoid possible ‘function creep’ (where data is collected for one purpose but then used for another, unanticipated purpose), but also to build consumer trust in the technology,” she detailed.
“As we saw in the early stages of the COVID-19 pandemic, with the highly criticised COVIDsafe App, community trust can be a vital element in how effective technology is, and how widely it is adopted.”
Privacy law, Ms Birch concluded, continues to be a growth area in the regulatory compliance space.
“Privacy compliance is an important issue for in-house teams and boards, even within companies who don’t appear to handle much customer data,” she said.