Why the information lifecycle will be vital to data privacy in 2025

If data is the ‘new gold’, how should organisations be treating it? Data accessibility, accountability, confidentiality and integrity are becoming increasingly crucial for Australian organisations.

Data can be any kind of information, but personal information in particular must be managed carefully. There is both an expectation of appropriate security to protect this data, and a responsibility to ensure the information remains relevant, accurate and up to date.

It is critical to understand the information lifecycle — who you are collecting data from, is it for a legitimate business function or activity, who are you disclosing it to, how are you storing it, and once you’re done with it, how are you disposing of it?

If you’re collecting personal information just because it’s nice to have, you might be in breach of the Privacy Act 1988.

Data must be accessible and usable

Balancing data accessibility and usability from an organisational perspective is essential. The human element cannot be overlooked: the moment you make data difficult or inaccessible, people will stop following procedures and start to find workarounds.

Organisations often struggle when they create a complex 17-page policy as an ‘effective’ way to control data, but people who need to use that data daily will invariably find ways to circumvent the rules where it inhibits their productivity. The problem? The organisation (per the policy) thinks data is only in one place, but in fact it’s scattered across multiple systems and devices.

The solution is to test these policies and regularly audit them — while encouraging a culture of open and honest dialogue. Speak with your people, ensure they are comfortable saying: “This policy isn’t working, it’s not user-friendly, so I’m doing this instead.” If you can maintain an open dialogue with your employees, you will have better visibility over data access. It can also help to improve processes and policies to make them more functional and effective.

Defending against emerging cyberthreats

It is impossible to mitigate against all cyberthreats or data breaches. In the 2023–2024 financial year, the Australian Signals Directorate (ASD) received over 87,400 cybercrime reports and responded to over 1100 cybersecurity incidents. The ASD data highlights the continued exploitation of Australian systems. Of concern is that compromised accounts or credentials was the top cybersecurity incident type reported by ASD. This means the use of stolen or compromised login details is a significant and growing threat to all organisations.

There are a few things organisations of any size can do to mitigate this type of compromise — including implementing access management controls (and the principle of least privilege to user access), multi-factor authentication, and ensuring key systems are regularly patched, updated and scanned for vulnerabilities. For larger organisations, or those with lots of data, implementing a data loss prevention (DLP) solution can help relieve the burden on the infrastructure team.

Data sharing with third parties

Organisations also need to identify and mitigate risks related to data sharing with third parties, such as vendors and cloud service providers. If possible, conduct a supplier or vendor risk assessment before engaging with them.

If you’re holding a lot of personal or sensitive information, consult an expert to review the details. At the very least, engage with the third party to ensure secure data handling on their side of the fence. You should review all contracts to clarify shared responsibilities and ownership of risk and if you’re not absolutely sure, seek independent advice.

If your policy requires vendor risk assessments for all vendors above a certain threshold, never deviate from the policy unless absolutely necessary. Some organisations skip assessments due to urgency or deadlines, but that’s a mistake unless there’s a top-level sign-off with a strong business case, and preferably a risk assessment conducted on the decision as well.

Navigating compliance across different jurisdictions

Evolving international data privacy regulations such as GDPR and CCPA, and changes to our own Australian privacy laws, add another layer of complexity. If you have a legitimate reason for the cross-border transfer of personal information, you need to implement a strategy to navigate various requirements. A starting point may include:

• Understanding your information lifecycle — have a map to show where the data is coming from, stored and transferred.
• Assess which jurisdictions’ laws will apply — and then identify if there are any conflicting regulations, or additional requirements you need to consider (including consent from the data subjects).
• Ensure you’ve got appropriate technological controls in place to help mitigate data loss, and where you can, anonymise the data.
• Regularly monitor data privacy legislation changes across jurisdictions to ensure your processes are up to date.

Incorporating privacy-by-design principles

Privacy by design can help ensure you keep on top of the information lifecycle. Embedding a proactive approach to privacy can start at a project level, but ideally should be adopted across an organisation.

A good first step is conducting a privacy impact assessment. This involves asking questions such as: “What will happen to personal information if I implement this tool or project?” or “Where will this data go?” Although there are many variables, having that impact assessment done is a good way to identify any potential risks before they emerge and mitigate them throughout the process.

Where you can, anonymising data can help reduce your risk, especially when identifying information isn’t essential. If identification is required, have a process for destroying or de-identifying personal information once it is no longer required.

Privacy by design is a cross-discipline exercise, and should include data privacy officers, technical experts and business unit representatives.

Employee education and training is often overlooked, but engaging employees in these discussions can make a significant difference. Regardless of the systems and processes you have in place, people are the gatekeepers to your systems (and personal information), so help them help you be more protected.

*Georgia Marwick is the data privacy lead within the cyber risk and assurance team at CSO Group. She advises on governance, risk and compliance, and aids customers in ISMS implementations and preparing them for ISO27001 certification. Georgia also provides insights and direction for how privacy governance practices can, and should, be introduced to organisations at a board and executive level.

Prior to working in cybersecurity, she was a lawyer at a large commercial law firm, specialising in complex litigation, in particular, class actions. Georgia has a keen interest in the developing space of consumer class actions levelled against organisations that breach their privacy obligations.

Image credit: iStock.com/Motortion