In Deloitte’s third annual assessment of the privacy practices of the top 100 brands both listed on the ASX 100 as well as non-listed, there is some disconnect between what organisations do and what their employees want them to do.
Deloitte Cyber Risk Services Partner Tommy Viljoen said: “In this index we wanted to see if there was any difference between what organisations and what staff members believe is occurring when it comes to protecting data and honouring customer privacy.
“We surveyed more than 1000 employees of these top organisations, asking for their opinions of their organisation’s privacy practices, in particular their expectations of trust, complaints and information handling.
“One of our key findings was that 91% of organisations believe their organisation could be more transparent with consumers about how their information is used. And almost 60% of organisations believe they should do more to build trust with their employees.”
Viljoen explained that the focus on employees as the consumers this year was because most organisations in Australia have reached a level of maturity in their website privacy and security controls and policies.
He said: “The reality is that mobile apps are now more open and transparent to consumers, so we wanted to discover if there was any dichotomy between organisational governance practices and actual operations. And we found that there was.
“An organisation may feel for example, it has all the requisite boxes ticked and all its policies and procedures in place. Yet it appears that many staff members may circumvent these processes, and find what they consider to be easier ways of doing things, even if ‘adequate’ monitoring processes are in place.
“To preserve and indeed build trust, organisations need to be authentic. This requires transparency of how customer data is being managed and staff members who are fully aligned to managing the information safely and securely and so act accordingly.”
Deloitte Cyber Risk Advisory Director Marta Ganko, who co-authored the Privacy Index said: “We wanted to explore whether training and policies translate into compliant behaviours; and if not, what to do about it. We found that the organisations that ranked the best in terms of risk awareness and privacy protection had a privacy officer, regular training programs, and ensured their third parties notified them in the event of a breach.
“Also the survey revealed that bundled consent, Terms & Conditions, or privacy policies cannot be relied on to manage information. And that 40% of the consumer/employee respondents said they only received privacy training at induction or on an ad hoc basis.
“Given this current situation of ‘could do better’, plus the future direction for organisations both here and around the world, for individuals to have greater controls over the collection and sharing of their data, our organisations have a big challenge ahead to maintain and/or build trust, develop resilience and create an environment of real consumer and business confidence.
“In Australia the Productivity Commission has called for greater controls for consumers to both manage access to and the sharing of their data.
“Such provisions already are enacted in other parts of the world, including the European Union. The two salient directives are the Revised Payment Services Directive (PSD2)1 and the General Data Protection Regulations (GDPR)2.”
Viljoen said: “We believe one of the reasons the financial sector ranked at the top of the index again this year, followed by Government and, for the first time in the top three, telecommunications and media, is because all three sectors are highly regulated.
“Financial services conduct frequent privacy training. Their employees can correctly identify a privacy impact assessment, and they know the process to follow in the event of a data breach.
“Each of the top three sectors in this year’s Deloitte Privacy Index have employees who said they would be comfortable being consumers of their own employer’s brand,” Viljoen concluded.
As the Australian Privacy Commissioner Timothy Pilgrim said3: “Simply put, a successful data-driven economy needs a strong foundation in privacy …When there is transparency in how personal information is used, it gives individuals clarity, choice and confidence that their privacy rights are being respected.”
1 PSD2 – Retail banking will be disrupted from 2018 as consumers take control of their data, choosing where they make payments from, and instructing their bank to provide access to third parties to make this happen.
2 GDPR – Individuals can request their data be provided in machine readable to other organisations even if a competitor.
3 Speech delivered at Crowne Plaza, Canberra, 16 November 2016