Australia: Building customer trust in the digital age data revolution

By: Mr. Matt Mcmillan

The digital age has sparked a data revolution in financial services. With the explosion of internet connected devices and systems, data is being produced and processed in enormous volumes and at rates never seen before. More than 90% of the world's data has been produced in the last 2 years alone¹.

This data may take the form of:

• structured data: which refers to predictable fields of information, such as customer name, address and account number; or
• unstructured data: such as geo-spatial data, social media (including photos and sentiments expressed through social media sites), video and voice content.

While both types of data are growing in size, financial services players are increasingly turning to the world of unstructured data as a vital source of customer insight.

Through the use of sophisticated analytics tools, financial services players are starting to unlock value from the data-driven insights which come from the analysis of data sets - whether it be the personalisation of financial products and services to drive customer engagement and loyalty, the unification of disparate data sets to drive better risk decisions, new marketing and lead-generation models to drive revenues, or opportunities to reduce costs and increase productivity.

Financial service players looking to leverage the value of such data assets must, however, take care to remain truly customer-centric when doing so. This necessarily requires a steadfast focus on ensuring and maintaining customer privacy at all times. Such focus is key to building customer trust in the digital age. Ignoring it has the potential to cause significant brand and reputational damage.

NEW PRIVACY LAWS

On 12 March 2014, the new privacy laws came into force in Australia. These laws, amongst other things, include a new set of Australian Privacy Principles (APPs) that regulate the handling of personal information by organisations, including financial services players².

The object of the very first APP - and one of the of key tenets of the new laws - is to ensure that organisations manage personal information in an "open and transparent" manner. This includes an obligation on organisations to implement practices, procedures and systems that will ensure that they comply with the APPs and are able to deal with related inquiries and complaints³.

In a world where financial services players are increasingly confronted with, and looking to exploit, the ever growing amounts of personal data before them, having a privacy management framework in place is essential - a framework that ensures that good privacy protections are integrated into the organisation's day-to-day operations.

The purpose of such framework is to ensure that privacy issues are addressed upfront - and that privacy and data protection is built into the architecture of systems, technologies and business processes - rather than simply treating privacy issues as an after-thought.

IMPLEMENTING A PRIVACY MANAGEMENT FRAMEWORK

Some of the key measures which contribute to an effective privacy management framework include:

• Policies, practices and procedures: Having policies, practices and procedures that cover matters such as:
  • privacy collection notices and consents
  • handling of access and correction requests by individuals
  • receiving and responding to complaints and enquiries
  • the security of personal information, including the use of de-identified data sets
  • records management, including data retention practices
  • engagement with external suppliers involved in the handling of personal information on behalf of the organisation.
• Privacy policy: Having an external privacy policy which meets the requirements of the APPs, is easy to find and clearly and simply describes what the organisation will do with the information, why it uses information in the way it does and the choices available to customers.
• Privacy impact assessments (PIAs): Undertaking PIAs for new projects in which personal information is handled, or when a change is proposed to information handling practices. PIAs are an effective tool for analysing the possible impacts of a project on customer privacy and finding potential ways to mitigate those impacts, while still achieving or enhancing the project goals.
• Threat or risk assessments: Undertaking threat or risk assessments where there is a heightened data sensitivity risk or a real risk of serious harm to the individual.
• Data breach response plan: Having a robust and carefully considered plan for responding to privacy breaches and notifying affected individuals where it is appropriate to do so.
• Security measures: Implementing technical, operational and contractual measures to ensure the security of the personal information held by the organisation. This includes reviewing the adequacy of existing security measures, building privacy upfront into system design specifications, and ensuring contracts with IT vendors have appropriate contractual protections.
• Governance mechanisms: Considering the most appropriate governance body or structure for managing the framework, including designated privacy officers and regular reporting to the governance body.
• Staff training: Providing regular training to staff on the application of the APPs and the internal practices, procedures and systems designed to facilitate such compliance.
• Audits: Regular audits of practices, procedures and systems to ensure that personal information is being handled in an open and transparent manner, and otherwise in compliance with the APPs.

Implementing an effective privacy management framework is fast becoming a critical governance issue for players in the financial services industry.

The level of trust in an organisation's brand in the digital age will, in part, be the result of how well that organisation implements the above measures and how well it acts as a careful steward of the personal information in its possession.

Footnotes

1 See article entitled "Big Data, for better or for worse: 90% of the world's data generated over the last two years" at http://www.sciencedaily.com/releases/2013/05/130522085217.htm.
2 The new laws apply to all organisations, but exclude small business operators with a turnover of $3,000,000 or less for a finan cial year unless an exception applies.
3 See APP 1.2

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.