Data is fast becoming one of the most important intangible assets and organisations need to take data privacy seriously. KPMG’s data privacy services national leader, Kelly Henney talks through the grey areas for risk managers.

This week is Privacy Awareness Week (PAW), an annual initiative run by the Office of the Australian Information Commissioner (OAIC) combined with the Asia Pacific Privacy Authorities forum. The theme is “Don’t be in the Dark on Privacy.”

Data is fast becoming one of the most important intangible assets and organisations need to take data privacy seriously.

We are seeing a growing commoditisation of data and the advent of serious data breaches across jurisdictions and industries has called for sweeping regulatory change – notably, the Notifiable Data Breaches (NDB) Scheme and General Data Protection Regulation (GDPR) – to codify accountability and transparency. Fines are only the beginning of repercussions for data breach, with reputational damage at stake as well.

Boards are increasingly facing data related risks and issues. New regulation, and community expectations, need to be balanced with strategic objectives for digital transformation. Some of the key data related issues facing boards today are regulation, consumer trust, security, governance and technology.


The NDB Scheme and the GDPR brought about significant regulatory changes such as mandatory notification of eligible data breaches in Australia and the EU and stronger protection of data subjects rights, including the right to be forgotten and the right to access. The GDPR has extraterritorial reach implicating Australian businesses that offer goods and services to individuals in the EU, and/or monitor EU individuals.  The GDPR has also introduced heavy fines ranging from €20 million to 2-4 percent of annual global turnover or whichever is higher.

Both pieces of legislation bear a significant compliance burden, and risk of reputational and financial loss entailed in meeting these imposing obligations.

Upcoming regulation called the Consumer Data Right will start with Open Banking and ultimately be implemented across the entire market, with Energy and Telecommunications industries next cabs off the rank.


2018 was a year of significant data breaches. Such breaches include the myfitnesspal breach where approximately 150 million customer accounts were leaked, the Orbitz breach that resulted in unauthorised access to 880,000 personal credit card details and the Cambridge Analytica breach where data on 50 million Facebook users was used to build psychological profiles by Cambridge Analytica.

Such data breaches, and the approaches to resolution for affected individuals indicate a shift in accountability, by introducing heavy fines, public reporting and transparency.

One way organisations can gain consumer trust is through transparency over internal and external data flows, communicated through privacy statements and giving consumers control over how their personal data is collected.


Strategic objectives for technology transformation, use of social media engines and upgrading legacy systems all increase exposure to the risk of cyber-attacks.

Organisations can take proportionate technical and organisational measures by integrating preventative measures to safeguard, raising awareness of every employee’s role in data protection, implement common controls and distributing responsibility across all levels of an organisations.

Common controls include:

  • Pseudonymisation and encryption;
  • Confidentiality, integrity, availability and resilience of processing system;
  • Restoring availability and access to personal data following a cyber-attack; and
  • Monitoring and supervision of technical and organisational measures.

Data Strategy, governance and technology innovation

A strong data strategy may include automation and AI initiatives to replace and enhance existing business processes. Such initiatives bring new risks. Boards may be concerned about the mismatch in maturity of organisation-wide data governance practices with the speed of automation deployment which results in taking on more risk. Without good data governance there remains risk of grey areas in data uses –and breaches. Effective Privacy Impact Assessments (PIAs) are critical to ensuring personal data risks are detected and managed. Additionally, it may be relevant to invest in training of existing employees to navigate the new risks as their roles evolve.

Good data governance provide for a clear framework of data management which will decrease the likelihood of financial and reputational repercussions that follow data breaches.

In relation to consumer data, good governance include;

  • Data principles that align with consumer expectations, board risk appetite and organisation values
  • Enforcing, monitoring and reporting in relation to data governance and controls
  • Mechanisms for monitoring regulatory change
  • Clearly defined roles and responsibilities, with empowering delegations of authority
  • Managing conflicts with business uses of data, and secondary uses

As the pace of automation and AI solutions accelerates, new regulations and community expectations will need to be navigated to ensure personal data is adequately protected.

While consumer awareness of data privacy is currently at its highest measured levels, organisations need to finely balance these heightened expectations with meeting efficiency and competiveness objectives. Organisations should not be afraid to use the data they have, as long as they have confidence that it is well protected, backed by lawful processing and anonymised or pseudonymised where appropriate.