General Data Protection Regulation (GDPR) , Global Compliance , Standards, Regulations & Compliance
Spurred by GDPR, Australian Businesses Catch Up on PrivacyCasual View of Privacy in Australia Is Changing, Says Symantec's Brian Fletcher
Australia has long had a casual approach to privacy, but the EU's May 25 enforcement deadline for its General Data Protection Regulation is prompting a rethink about data handling in the nation, says Brian Fletcher, Symantec's director of government affairs in Asia-Pacific. .
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
"Australian businesses have generally been late to the party when it comes to privacy and particularly with GDPR, and in some ways, that's completely understandable," he says.
Fletcher is well positioned to contrast his country's approach and attitude to privacy with those of the EU, U.S. and other regions. Before joining Symantec in 2016, Fletcher served in the Australian government for 21 years, most recently as the director of cybersecurity relationships for the Australian Signals Directorate, which is Australia's sister agency to the U.S. National Security Agency and the U.K's GCHQ.
At the ASD, Fletcher led the development of cybersecurity policy and partnerships with industry and federal, state and territory governments. And before that, he served in the Australian Embassy in Washington, where he provided advice to ambassadors and defense staff on strategic cybersecurity and intelligence issues.
Australia's Privacy Act
A country's approach to privacy can be deduced based on its laws. So it's notable that Australia only passed a federal Privacy Act in 1988, compared with, for example, Sweden, which passed its first national data protection law in 1973.
Australia's Privacy Act created a privacy commissioner and regulated how governments and businesses with more than $3 million in annual turnover handle personal information.
In 2017, an amendment to the Privacy Act began requiring some types of organizations to report data breaches to regulators (see Australia Enacts Mandatory Breach Notification Law).
Even so, the current law still falls far short of GDPR, Fletcher says. For example, GDPR considers an email address to be personal information, while Australia's Privacy Act does not, he says.
Increasing Concern for Privacy
Europe's support for GDPR came, in part, because of increasing frustrations with how U.S. technology giants were acquiring, storing, transferring and using personal information in ways that were opaque to consumers and regulators. But such frustration, Fletcher says, strikes some Australians as being culturally strange (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
Australians' privacy attitudes, however, appear to be evolving. Last year, the Office of the Australian Information Commissioner conducted an in-depth survey of the public's attitude towards privacy. While the survey results are extensive, one top-line finding is that 69 percent of consumers were more concerned about online privacy in 2017 than five years before.
"We've never seen that [before] with Australia consumers," Fletcher says. "This casual Australian approach to privacy essentially means there haven't been any market drivers for privacy in Australia, and that's changing, and that's really quite exciting. And it certainly allows companies to go out there and make it a competitive advantage."
Privacy Versus Security
Unfortunately, some Australian businesses continue to conflate privacy with security, Fletcher says.
"Privacy is so much bigger than security, which is where I fear that Australian corporations are really going to fall over," he says.
Clearly differentiating between the two concepts remains essential because security teams don't decide what data to collect, when to collect it or when to get appropriate consent, Fletcher says. Likewise, such teams don't get to decide how to use the data or when to delete it, he adds, noting that this isn't just a problem in Australia but also throughout Asia.
Complying with GDPR can also be a massive technical challenge for organizations, Fletcher says. Consumers have a right to request what data an organization holds about them, but most organizations store data in back-end databases and systems that simply have no interface for retrieving details about a specific consumer, he says.
"It's in the European regulators' best interests that the GDPR works. They want Europe to be open for business. They want people to be able to build value from data."
—Brian Fletcher, Symantec
Larger companies are spending huge amounts of money to attempt to automate these information-retrieval processes, such as grabbing structured data held in Oracle and other databases. But many organizations have also amassed unstructured data, especially in cloud applications and backup or storage systems, all of which complicates retrieval efforts.
"To [architect retrieval systems] to the spirit of the GDPR, to the way that regulators would really like companies to do it, is a massive undertaking for most folk," Fletcher says.
Some organizations are using call centers and having staff manually go into all necessary systems and extract data to provide it to its owner.
Such manual operations come at a cost. "That's actually hugely expensive, but it's cheaper than re-engineering their systems to make it actually work properly," Fletcher says.
Potential Compliance via Data Buckets
Another approach: Rather than bring all systems into compliance with GDPR, put all European citizens' data into one bucket, separate from the rest, Fletcher says. He's seen manufacturers in Japan take this approach.
In Australia, however, some banks are thinking more long-term and applying GDPR rules across the board. That may prove prescient, particularly if GDPR's tenets prove popular and other countries seek to adopt similar principles.
"The big banks are getting out in front of this already," Fletcher says. "So Australian consumers are benefiting from these GDPR reforms."
GDPR gives regulators the ability to impose fines of up to €20 million ($23 million) euros or four percent of an organization's annual global revenue, whichever is greater. But despite the potential for steep fines, "it's in the European regulators' best interests that the GDPR works," Fletcher says.
"They don't want to send people out of business," he adds. "They want Europe to be open for business. They want people to be able to build value from data. They just want to set the rules by which it is done."
Executive Editor Mathew Schwartz also contributed to this report.