AUSTRALIAN businesses are not doing enough to protect the data of its customers or meet the regulatory obligations set down by the government – and they are at risk of multi-million-dollar fines.
As companies become more interested in capturing information on customers to use for marketing and profiling purposes they do so without putting emphasis on the security or safety of that data – putting millions of Australians at risk.
Managing Director of leading data management company, EC Integrators, Emy Carr, says Australia is lagging behind both Europe and the United States when it comes to data governance.
“A lot of organisations are paying lip service to it, seemingly oblivious to the fact the there is a regulatory process they could be penalised with,” said Mrs Carr.
“It’s vital to ensure data is safe and secure, correct and trusted.”
The amount of data that is being captured by organisations is growing by the day. Contained within that data is a mixture of both financial and highly sensitive personal information.
Recently the Commonwealth Bank was found to have allegedly breached regulatory policy on 54,000 occasions due to a software failure.
Poor regulatory compliance and bad practices by the financial institution across several business areas have seen the Australian Prudential Regulation Authority start an inquiry and AUSTRAC initiate federal court action towards Commonwealth Bank.
TABCORP was recently met with a $45 million fine for falling foul of money laundering laws, by not forwarding data reports from smart deposit machines and now the Commonwealth are facing an even higher penalty.
Mrs Carr said the key mistakes that Australian businesses are making when it comes to data are:
- The Value of Data: Organisations are not placing a value on the data they hold. Many look at it as a way in which they can make revenue, but do not view it in the potential loss of revenue or reputational risk that comes with poor data governance.
- Poor Data Management: Many businesses are failing to adopt the approaches taken by overseas companies, in appointing a Chief Data Officer responsible for determining the legitimate purpose of retaining and utilising the information captured. It is their role to ensure companies have sufficient governance in place to handle and secure the increasing levels of data flowing through the business.
- Crime does pay: There are no uniform financial penalties outlined at the federal level. Meaning, there is no deterrent for those not investing in adequate data governance for their business. Telstra and Vodafone were fined just over $10,000 for serious data breaches of customer information.
- No set process: Companies may have some form of governance for handling data. However, that often is lost when backup data or testing data is concerned. Often it is not handled with the same security measures when it is outsourced to third parties or shared throughout a company – which is a significant threat. Personally Identifiable Information (PII) and sensitive data should be masked, but often isn’t.
Data breaches can significantly impact a businesses’ reputation, seeing them not only lose customers, but expose its customer database to potential identity theft.
A recent Australian Federal Police survey found that 60 per cent of businesses had suffered a cyber-attack, that had managed to infiltrate its security and access data.
But, Mrs Carr said big business is simply not concerned, at least not until it is faced with serious financial penalty for poor data management and security.
“We’re lagging behind in terms of Europe and the US. Despite the fact Data Governance Australia has been introduced to ensure a set standard when dealing with customer data, Australia is yet to implement more stringent personal data protection regulations similar to EU’s GDPR ,” said Mrs Carr.
The European Union’s Global Data Protection Regulation (GDPR) aims to hold businesses accountable for the way personal data is stored and transformed.
Australian businesses serving the EU will need to be compliant, however a recent Veritas report showed that only 30 per cent of businesses in the country believed they met the required standards.
“If you’re taking in any customer data at all, there needs to be a governance process in place to understand how that data is moving across the organisation. Who is seeing that data? Who is touching it?” Mrs Carr explained.
“Any weak link across those actually compromises the data. These are prone to identity theft and hacking. Any organisation, small or large, should have a data governance in place.”
“Customers are trusting that their data is safe and secure. We just take it for granted.”
EC Integrators is a leading information management consultancy with specialised expertise in Data Governance, Enterprise Data Management, Data Virtualisation and Business Intelligence.
For more information relating to managing data in business visit www.ecintegrators.com.au