Like many in the industry, I was interested to see what the Government's response to the Privacy Act Review report would reveal.

My top takeaway was that we aren’t as far down the path as I would have expected and that has me panicking a little. Let me explain.

For most of the issues that are important to our clients, such as how personal information will be defined, obligations concerning de-identified information and the definition of consent, the Government agrees with the review in principle.

While they’ve given us a fairly clear signpost, frustratingly, they've got to do some more investigation.

It's hard to say if we’re heading in the direction that we thought, but the final deadline for compliance shows little sign of shifting.

One thing is for certain, the government is going the way of GDPR which broadly signals a data opt-in where brands will need to ask for permission before collecting data versus the Californian CCPA route where a “Do Not Sell or Share My Personal Information” link or button must be provided on the homepage of the website.

But it looks as if we are going to have to wait until we see the actual legislation before we find out exactly how far the new rules will go.

What we do know is that the legislation will be introduced next year which only gives us about 14 months to be compliant. That’s just a little over half the time business had for GDPR, that was about two years between the legislation landing in 2016 and compliance kicking into effect in 2018.

With the next Federal Election to be held during or before 2025, and the Albanese government committed to delivering this during their first term, consider that the hard deadline.  

With the state of the average Australian business well underdone in many relevant areas, we need to get work now with what we know and what we can deduce.

Stop using third-party data

I know I sound like a broken record when I say this, but if you’re still using third-party data, stop now. When the new legislation comes into effect, you will have your hands full wrangling your own data. You do not want to be worrying about where other people are sourcing their data from and whether it meets all the new rules.

Instead, get your first-party data sorted from today. Haven’t got any? Start collecting it. Got some but it’s a hot mess? Get your house in order.

Where’s your data?

While many of the various privacy legislations around the world make the transfer of data to foreign entities illegal, it looks like we’ll be right to share it with countries that have similar data laws in place. The US and the EU seem like the most likely places to fit the bill.  

Still, you’re going to want to check where your data is right now and where it goes when it’s under your control.

Bear in mind that Austrian and French courts both found that using Google Analytics on websites in the EU is illegal because, by default, the data is transferred to the US for processing. If you’re shipping data off to far-flung lands, you could be looking at some unwanted fines.

This is common on SaaS platforms and isn’t something many would think about when choosing a provider – especially not for something as ubiquitous as Google Analytics. Some ad-tracking cookies may even send your data to organisations you’ve never heard of.

You need to check. A simple tag audit could be the solution to ensuring your data is going where you think. Do it now so you have time to fix it if you find something unexpected.

Deal with your ‘dark data’

Team members have come and gone, and you don’t even know where all your data is stored and how to access it. You’re wondering if you need to keep customer sales records from sales 10 years ago or aggregate historical data for analytics.

The International Data Corporation (IDC) estimates that by 2025 there will be 175 zettabytes of data globally. If you wanted to store 175ZB on DVDs, your stack would circle Earth 222 times. Downloading that much data on an average home internet connection would take 1.8 billion years. And we definitely don’t have that long to be compliant.

IDC estimates 80 per cent of that data is unstructured. On average 90 per cent of unstructured data is never analysed. While the value of this so-called ‘dark data’ may be lost or misunderstood, it could be a goldmine for hackers.

Take a good look at your data lake. Determine what could be aggregated or anonymised. Permanently delete anything that’s no longer useful.

Avoid data swamps

As the number of customer touchpoints continues to increase, having data locked in software or even vendor silos prevents you from fully understanding what customers want and expect. And it limits the ability to gain true insights.

It becomes a juggling act. How do you balance greater data privacy and control and deliver the levels of personalisation expected by customers and business stakeholders?

It's a good time to revisit your entire tech stack, looking at everything from in-store POS systems, call centre software, and CRM platforms, to on-site personalisation, analytics, and advertising data capture.

A modern tech stack needs to incorporate CX, consent, compliance, and governance with systems that integrate at a level far beyond what any single software vendor can supply.

Rebuilding part of your tech stack may mean moving data from one platform to another.

It’s very easy for data lakes to turn into stagnant data swamps. So get onto it now.

You might think you’ve got all the time in the world to get your data in order but if you don’t want to get caught with your pants down, you don’t have a second to waste.