The Future of Data Integrity in Australia

Matt Worsfold is a Partner in Ashurst Risk Advisory, leading the Data and Analytics Practice. He specialises in risk analytics and data risk management, supporting a variety of large corporate and government clients. Having lived and represented clients in Australia and now back in the UK, Matt provides a unique lens on the landscape in the UK currently, and how data and the regulations are reflected in both markets.

Given the recent legislative changes around privacy, what challenges are the UK facing today that will likely impact Australia tomorrow?

It’s an interesting development; the UK and Australia are moving in different directions. Australia has been looking at GDPR over the last few years and assessing what has worked and what hasn’t. There will be a shift to being more restrictive and prescriptive in what organisations can do, creating a greater compliance burden on many organisations. 

On the other hand, the UK is pivoting in the other direction, driven by the mandate about increasing competitiveness, particularly post-Brexit. They are encouraging business to the UK, so they will likely move to a more risk-based approach regarding privacy legislation. The focus will be on releasing some burdens on smaller, more domestic organisations. Some of the clients we work with have cross-Europe or global business models, so the reform in the UK won’t influence much around what they need to be complying with, as GDPR will still definitely be enforced. 

It’s an interesting topic with us both moving in separate directions, but I think privacy reform in Australia will take many lessons from GDPR.

With data privacy laws becoming more stringent in Australia, how can organisations ensure they are compliant with these laws while also maintaining their competitiveness in the marketplace? It seems the UK is now taking that into account.

It is about going back to fundamentals, and it comes down to good data governance as the bedrock. These are not new principles, but it’s about designing good frameworks and ensuring they have been implemented. As an organisation and leader, you need to be able to answer some fundamental questions that, while seemingly simple, are often complex to answer. Those really boil down to what data I am holding, where it sits within the organisation, whether I should still be holding that data and what controls I need to put around it. If you can answer those key questions, you have effectively got your data governance right, and you can use that for customer marketing initiatives, developing innovative products –the more exciting, revenue generating parts. This applies now more than ever, with the developments around cyber, privacy and AI. 

How do you see the regulatory landscape for data integrity evolving in Australia, and what implications will this have for organisations? As you say, we are looking at GDPR, how it worked, and how it didn’t, but is there anything further organisations should think about?

Much of the regulation touching upon data globally focuses on key themes around transparency, explainability, traceability, and quality. Those foundational parts are what a lot of regulators will be expecting. That could be everything and anything from privacy implications and coming back to ‘what am I holding, what am I doing with that information, how transparent about what I am doing or not doing?’ It also extends into the arena of AI, and that’s a big topic now in terms of transparency and explainability; specifically, what am I doing with those models and, fundamentally, what am I doing with the data that feeds into those models? We will see many of those principles around what the regulators focus on and implement.

For some of the specific sectors – in the financial services space, the regulators have said we want to be more data-driven as a regulator, and I expect a lot of regulators to follow suit. I think that will mean increasing requests for data, which again focuses on ‘Do you have high-quality data? Is it available?’ but more importantly ‘, Do you understand what the data is?’.

It is about getting ahead of the curve – for example, what the data telling you about risk, what you’re doing, who you’re selling products to, how the products are performing – as the regulators are going to be using data to form that picture for themselves, you will want to understand what is going on in your own business before they do.

Obviously, data is a valuable commodity – how can organisations balance the need for data access and sharing with the imperative to protect data integrity and privacy?

Much of it comes down to how you can utilise technology and data management techniques as an enabler. It is that age-old saying – ‘it’s never the answer to everything and the answer on its own’, but it’s an enabler. The rise in privacy-enhancing technologies is going to make that easier for organisations. They are more emerging currently, but organisations need to look at what is out there in the market and how can support that balance between data access, data sharing, and the use of data vs. protecting an individual's privacy rights. You also need to go back to some strong data management and data storage techniques – everything from anonymising data, data masking, and encryption – it also comes back to that principle, particularly for GDPR around data minimisation, not holding and trying to collect and aggregate masses of information for the sake of it. What is absolutely needed for the purpose you are trying to use it for, and how can you demonstrate you are abiding by that principle? That then helps you balance those two drivers, trying to maximise the use of data but also minimising the amount of data you might have access to to be able to drive that. 

In your view, looking at the Latitude data breach retaining customers’ data as far back as 2005, how long in your view should organisations retain customers’ data once the customer has ceased using the organisation’s products? Australia has no mandate on this – does the UK have specific timelines on customer data?

It is a complex field with data retention, as the number of obligations organisations must comply with varies. This depends on the nature of the business, the sector, the jurisdictions they have a presence in and ultimately, the type of data it collects and stores. We typically find a lot of what we are doing for clients is having them map the range of obligations they need to comply with, and these span much further than we would think. GDPR might say one thing, but there will be a lot of sector-specific regulations that have data retention obligations in there.

In Australia, for example, some employment legislation has data retention obligations – so you start to get this patchwork of different regulations about data retention. Mapping those becomes critical. Only then can you really understand your legal requirements from a retention perspective because they often interplay and sometimes conflict. There are mechanisms to dealing with that –taking the minimum standard approach is what many of our clients go with by looking at the most restrictive period and applying it to everything, so we know we are compliant across the board. It does get very complex. With any breach, with any assertion around data retention and whether people should be holding it, it comes down to what is the legal obligation – do I have a legal basis for holding the data, and is there a business purpose for holding it? If not, then make sure there are processes in place to get rid of it.

The complexity comes from the different patchwork of obligations that depend on the type of organisation and the sector they work in.

What do you think Boards should consider regarding their data, and how can they ensure that their organisation is adequately protected against cyber threats?

It comes back to those key questions I reference, which are questions that every Board should ask its business. With regards to data – what, where should I still have it, and is it adequately controlled? These are fairly simple questions on the face of it but require quite in-depth thinking and action to be able to answer those with confidence.

Having a data breach is one thing, having a data breach where you’ve exposed historical data that you should have disposed of just takes it to that next level.

The biggest issue we tend to run into when dealing with cyber incidents is a lot of our clients and organisations don’t understand what they are holding and are, therefore, often holding onto it for too long. What that typically does is increase the magnitude of the breach. You’ve got to think about the regulatory implications and what the expectations of your customers are around data retention and data handing. Understanding the answer to those questions helps us comprehend data retention and how we make sure we understand where the data is sitting and how critical or sensitive it may be. Then, we can ensure we are managing it adequately and protecting it.

It is important to take your most personal and sensitive information and secure it somewhere that makes it incredibly difficult to access. That is ultimately what a threat actor is after when they are trying to carry out a cyber-attack.

Stay up to date: Sign up here for our global newsletter OBSERVE, and receive the latest news in leadership and top talent, industry insights, and events directly to your inbox.