The Privacy Summit 2016 – Trust in Privacy, held the other week in Sydney (14-15 November), is the annual gathering for iappANZ members (International Association of Privacy Professionals – Australia & New Zealand) and other privacy practitioners, academics and regulators.
New Zealand and Australian privacy practitioners have a strengthening professional network in iappANZ. It’s a vigorous antipodean offshoot of the US-based IAPP.
Privacy Summit 2016
The numbers attending the Summit were good and an indication of a healthy sector – although nothing like the 3,500-plus strong crowds that congregate for similar US eventsm like the Global Privacy Summit 2016.
New Zealand’s privacy commissioner, John Edwards, outlined what we hope and expect might be coming in our privacy law reforms to an engaged audience.
Timothy Pilgrim, Australian Information Commissioner, summarised Australian developments.
Two key things from a New Zealand perspective are a Federal Bill to introduce mandatory data breach reporting and another Bill to restrict reidenitification of individuals in big government data sets.
Deidentification is a highly contentious topic, with experts arguing about whether the various approaches even work. See:
As a New Zealander in the audience, it reinforced to me how ready we are for similar public debate and reforms. We’re barrelling down the path of maximising the value of government data sets, and our public debate around how to do that safely – and with public trust intact - is developing. In this case, the Aussies have beaten us to it (but let’s not dwell on that).
One certain reality is that Australian and New Zealand businesses want to ensure there is a seamless approach to the legal frameworks they engage with here and across the Tasman. There is no advantage in being an outlier in data protection terms. The same sort of pressure is evident in the European context.
Europe and GDPR (not)-readiness
A former colleague from the New Zealand Privacy Commissioner’s office, Polly Ralph, now working in the UK for PwC, delivered a sobering message about the lack of preparedness of UK and European businesses for new data protection regulations. The General Data Protection Regulation (GDPR) will come into effect throughout Europe in May 2018.
Admittedly the Brexit result has thrown an element of uncertainty into the mix, as people reconsider the impact it will have upon their data protection responsibilities. But undoubtedly any business engaging and transacting with Europe will need to look to the standards set in the GDPR.
PwC has tried to evaluate the level of GDPR readiness by UK business particularly, through a "readiness assessment tool" to measure compliance maturity. The results were hugely underwhelming, with most businesses not even equipped to deal with the current regulatory framework, let alone new and enhanced expectations. An example that gives a flavour of the results overall: "79% of organisations we assessed, do not feel confident that the personal data they collect and process is kept accurate and, where necessary, up to date."
PwC’s general prediction? - "There is an inevitability of mass illegality in 2018."
There are plans afoot for expanding the IAPP certification programme for Australia and New Zealand, so watch this space for information on how you can upskill.