Episode 10

Organizations must keep pace with evolving privacy expectations | Yvonne Sears, ISD cyber

Co-founder and managing director of ISD Cyber Yvonne Sears offers her perspective on how public and corporate attitudes towards privacy have evolved, what may be next for privacy regulation, and what organizations need to do better to ensure they meet their obligations.  

They also discuss:

  • Key cybersecurity and privacy management mistakes organizations are making  
  • The need for organizations to deeply understand the privacy regulations they are subject to.  
  • Why business impact assessments (BIAs) are vital for organizations to understand their critical dependencies, risks, and controls.  
  • Predictions for upcoming changes to privacy regulation, both globally and in Australia.  
  • How have public and corporate attitudes toward privacy changed in recent years?  
  • The convergence of information governance, data management, and privacy.  

Resources

🎧 FILED S02:E01: Privacy maturity requires information governance maturity | Dr Darra Hofman, San Jose State University

🎧 FILED S02:E04: Companies must focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint

📨 FILED Newsletter: The data privacy regulation floodgates have opened. Time to catch up.

Transcript

Anthony Woodward

Hi everyone, welcome back to another edition of FILED, a monthly conversation with those at the convergence of data privacy, data security, data regulation, records, and governance. I'm Anthony Woodward, CEO of RecordPoint. And with me today is my cohost, Kris Brown, RecordPoint's VP of product. Hey, how are you, Kris?

Kris Brown
I'm good, Anthony. How are you?  

Anthony WoodwardYeah. Good. It's a wonderful day here in Sydney and I'm looking forward to today's discussion. Yeah. Me too.  

Kris BrownNice and sunny here in Queensland. So, I think our guest, which I'll let you introduce is just another  

Anthony Woodwardpart of the country. Today we have Yvonne. Yvonne, whereabouts are you today?

Yvonne SearsI'm in Adelaide. Thank you for having me. And I join you in the sunshine as well. So, finally getting some warmth.  

Anthony Woodward

Absolutely. No, and it looks like here down in the Southern Hemisphere, summer's just on its way, but I know Yvonne, you wear quite a few hats. I'd love to get a bit of a rundown on your career and where you've been and what you do in your day job at ISD Cyber.

Yvonne Sears

Yeah. Wow. Okay. I'll try and summarize that quickly for you because, well, we've only got half an hour. So, I've been in the industry now for just over 23 years. So, my experience cuts across various disciplines. So, I cover off information. Security management, cyber security, business continuity, and privacy.

Yvonne Sears

So, my life pretty much started off in a county council in the UK, where I was systems administrator, doing all they, like, mainframes and backups and all that, that jolly good stuff, and... Down in the dungeons, so if you keep in mind the IT crowd, it was pretty much like that. We were down in, in the depths of the dungeons, in the, in the, in the council, so that was fun.

Yvonne Sears

And, yeah, they soon kicked me out the nest and said, go away and do some consulting. Yeah, So, I went from there and, and worked in a lot of the London... Burroughs for a few years, actually, helping them with their data protection requirements, freedom of information as well, because there was a new standard called the Caldicott Standard that came out that was specific to the protection of the vulnerable in society.

Yvonne Sears

And that really overlapped my learning in data protection and information security at that time. So, I was very much a champion in that space for the London. And then I decided I'd had enough of working by myself. I was an independent consultant for about five years. So, then went to become an employed consultant, worked in various areas and then moved down to Adelaide in 2010.

Yvonne Sears

Again, started out here in various consultancies and then went independent for a while and decided I can... It was 2016, or towards the end of 2016, overlapping 2017, to set up my own business, at which point a fellow contact was also thinking of the same thing at the same time, and it was just coincidence, and we decided to set up together.

Yvonne Sears

So, here we are now, what is it, six years later.  

Anthony Woodward

No, fantastic. And I know, do you get an understanding of where you focus these days in the last six years with ISD Cyber?  

Yvonne Sears

Yeah, so a key focus for the last six years has been around information security management, cyber security is really sort of coming to the fore just like the last five years.

Yvonne Sears

It's become a really trendy word. So, that's been there. Unfortunately, less so on the Privacy side of things, because little did I know before moving to Adelaide, we don't actually have any really strong privacy legislation that organizations have to abide by. And it's very much a catch me if you can type of attitude within an organization.

Yvonne SearsSo, that has been a hard, hard sell, especially within Adelaide, but I'm hopeful that the new privacy reform will actually trigger some better conversations within. all sorts of size organizations around, you know, what they do with personal information and give it a little bit more respect. So, that's my intent.

Yvonne SearsSo, the focus over the last few years in particular has been essentially cyber security.  

Kris Brown

Yeah. Thanks for that, Yvonne. So, look, what are the, some of the things that the organizations that you are working with at the moment, what are the things that they're getting wrong either from that cyber security or even the privacy world?

Yvonne Sears

So, some of the key issues I'd say is for organizations to really understand where to start when it comes to cyber security, especially over the last few years, there's been a lot of changes in terms of the international standards and industry regulations and legislation as well. It can be quite a minefield, depending on what industry you're in.

Yvonne Sears

I mean, for example, we've recently had over the last couple of years, the Critical Infrastructure Act come through, and that has some specific requirements on incident management, reporting, asset management, and risk management as well. We're seeing a greater push from a director's accountability and responsibilities as well.

Yvonne Sears

And there's that expectation that organizations have a better approach to risk management and understand how cyber security relates to their organizations. So, with this minefield, it's a lot of questions I get is, where do I even start? So, I'm actually gonna be doing a talk in ASA next month, which is about context.

Yvonne Sears

I thought that was really important to bring up because it's the old adage of it depends. Whereas consultants say that an awful lot. It depends. It depends on the scenario. It depends on your risk profile, and it depends what industry you're in and what you want to achieve at the end of the day.

Yvonne Sears

Yeah. So, I'm doing a talk on context and how you can use that to really drive forward your security strategy going forward. So, yeah. So, it's essentially, yeah. Where do I start? And another key area of concern I think is organizations need to understand how business continuity fits into the whole picture.

Yvonne SearsA lot of them I find feel that they have it covered because they did a BIA, like. Once in the last five years of business impact assessment, I should say once in the last five years, and they've used that just to plop into some business continuity plans. And that's it now done. Well, a business impact assessment can really help you understand the business context and drive some key strategies around information management, records management, people management.

Yvonne SearsCybersecurity and a whole heap of other operational risk scenarios. So, yeah, that's one area that I think needs more development and more focus. Although it is like selling insurance in a way, I think that's because organizations are seeing it from not necessarily the right viewpoint.  

Kris Brown

And I think, as you say, the changes have been immense, even in just the last five years.

Kris Brown

But the point being that that's changed the IT landscape, that's changed the continuity plans that organizations have had to have, they've introduced new sources. I'm doing a chat at RIMPA in the coming weeks. We did a pulse of the industry support report last year. And it was sort of to get a bit of a feel for where people were, what they thought had happened, and the amount of information they were gathering, that that data, where is it now, type of situation.

Kris Brown

The best part about what's coming up is we did it again this year, and now we're going to be able to compare, have they improved? Has it continued to grow? And so, given your background, and obviously in supply chains and other things as well, is what should those organizations be looking at as it relates to, you know, in a climate of increased Ransomware attacks, you know, what can they be doing?

Yvonne Sears

It links into our previous conversation, actually. To even start, you need to conduct a business impact assessment to really understand your key dependencies. So, who are you relying on to support your business processes? So, which third parties provide products and services that support your business operations and evaluate the impact of loss of those products and services?

Yvonne Sears

And if it were a product or service where you're actually handing over information or assets to that third party, what control? So, have you done a risk assessment on each of those engagements to give you the assurance that they've built their services and products with security in mind to prevent that loss or prevent incidents such as ransomware in the first place?

Yvonne Sears

So, it's getting that assurance. So, although you're. handing it off to a third party you're still accountable for the associated risk with that. So, you'd still have that reputational impact and reputational damage if it was known that the third party you're using actually suffers from an event that then impacts your organization and you've taken so long to evaluate what's happened or you know, what was the source of the issue and the time to invoke your own business continuity plans as a result is a huge knock on effect if you're not. Planning that well in advance and again, that comes back to the business impact assessment.

Yvonne Sears

So, how long can you do without this third party and how far down the chain can you go? So, really understand you know, if it's a critical product or service, what are they then depending upon to deliver that product or service? Is it down to one individual at the end of the day who's designed a piece of software?

Yvonne Sears

And they're the only person in the world that can possibly support or develop this one piece of software. And what's the overall impact at the end of the day throughout the chain? So, that's a really good practice to go through. So, in addition, talk to your providers in terms of if they suffer an incident, when and how do they let you know that that has occurred.

Yvonne Sears

At what point do you find out and how long does it take for you to find out? And, you know, how well-versed and practiced are they in their business continuity plans? And also, the other thing to think of is where do you fit on their list of priorities? You know how important am I? Am I one of the first five to find out?

Yvonne Sears

So, do we find out with everybody else or, you know, do I find out a day after everyone else has found out what's going on? So, it's, it's good to have those sort of conversations.  

Anthony WoodwardYeah, perfect. That's a super interesting area. And I think we'll come back to that here in the conversation. Cause it's a set of themes that are going to reoccur.

Anthony Woodward

But I'd like to shift gears a little bit because I think you did bury the lead on some other activities you're doing, I think it's going to be very interesting in the audience in your role as the IAPP ANZ Knowledge Chair. What's your focus there? And I'd love to understand a little bit around how IAPP has been involved in some of the new legislation coming together here in ANZ and what the impacts of that are going to be that you would foresee as that comes to fruition.

Yvonne Sears

So, my role is a local chapter chair. So, here in Adelaide, there's a small group of us here essentially that occasionally get together and drown our sorrows, so to speak, in the world of privacy in Adelaide. But there are duplicate groups throughout Australia, but also into internationally. So, IAPP, International Association of Privacy Practitioners and, and they do a lot in terms of, they provide a lot of really good training and awareness resources and for practitioners as well, in particular.

Yvonne Sears

So, if there's anyone interested in developing their actual training, getting certified for privacy, they're world renowned, essentially. So, they, they get a lot of involvement. They do an annual summit as well. So, there's the something coming up, I think it's November in Sydney.

Yvonne Sears

So, that'd be interesting. Last year's was very interesting because of the report coming out for the privacy reform and everyone's sort of giving their. Penny's worth or what they think may happen, because although it's represented in a report or recommendations, not everything will really come to fruition.

Yvonne Sears

So, that was a really good opportunity for the lawyers and security professionals and everyone else that's really involved with implementing. Right? Privacy controls to sort of have that debate on how organization is going to get rid of all this information if they don't know where it's stored in the first place, you know, and it's starting at the very basics of the very beginning of that sort of conversation.

Yvonne Sears

And yeah, so the IAPP. So, it brings along with that their knowledge and experience and working globally as well. So, we obviously have the likes of the UK state of protection. We've got the European GDPR, an awful lot going on in the states. So, each state within the state has its own legal requirements, which is.

Yvonne Sears

That's incredible. But there's a lot of changes. Also, I think India is the latest one to come on board with a really strong data protection and privacy regulations and things like that. So, it's just comparing what could potentially happen in Australia. to the likes of what we have seen elsewhere and going, okay, well, based on that, we can predict this is the pain organizations are going to face.

Yvonne Sears

But there's also a lot of positives in terms of what we know that they need to be preparing for today. And yeah, I think that's the most important thing. There's, despite when it may happen, it's like. Turning a barge should take very, very long time to change legislation. We can pretty much say, okay, well, prepare yourself now.

Yvonne SearsThere's no excuse not to get started.  

Kris BrownAnd what do you think those predictions, what are your predictions? Let's let me put you on the spot. What are the top three? Well, the top five things that you predict coming out of this from what we've seen thus far.  

Yvonne Sears

Oh, so greater emphasis on the full intent of the law in regard to having transparency in the processing of personal information, having less reliance on the term of consent.

Yvonne Sears

So, although someone's consented to processing their information, it doesn't give you free will to do what you like with it. It's like, okay, what is the intent of you collecting that information in the first place? Are you still using it in the manner that it was, they gave it to you in, are you meeting their expectations?

Yvonne Sears

So, that's one of the key things is, are you actually living up to your obligations and under the act? Another key area is how much information. Do you have that you need to have so there'll be a greater emphasis on ensuring that you're only collecting what you need to deliver that service to the individuals, because we've seen a lot of incidents over the last couple of years where organizations have held on to.

Yvonne Sears

Previous clients data who haven't been a client of theirs for the last 10 years. He's so like, why do you have that is the aggregated effect of that information. If you're collecting passport details and driver's licenses and date of birth and everything about an individual, you only need to use it as a validation.

Yvonne Sears

There are. Other ways to validate an individual now that you don't need to actually hold that data yourself, making sure you're not keeping it longer than it's expected, essentially, is another key thing.  

Kris Brown

So, let me ask though, if you're a government department, there's oversight, there's OIA, or there's or there's the attorney generals, or there's, you know, insert the body here who's responsible for auditing organizations at a government level.

Kris Brown

This is about everybody else, like, and while there are... good reasons to do good information management from a discovery and a protectionism perspective. We don't necessarily govern that outside of very heavily regulated industries. Financial services have APRA. There's this OT requirements for utilities and things like that.

Kris Brown

But how do we police this?  

Yvonne Sears

So, each organization, if you're processing personal data, you had to register. So, you had to register that fact that you were processing personal data, not just personal information, but personal data. And that was many moons ago, we were doing that.  

Kris Brown

So, are they going to, do you think they'll do that here?

Yvonne Sears

I don't know, because it's that administration of that too, with the Information Commissioner's office. I know they're going to have an injection of funds to support them and ensure that they can do the right training and awareness and promotion of the changes coming through and also give small businesses support.

Yvonne Sears

So, there, there is likely to be that transition period, especially for the small organizations. businesses that haven't had anything to do with the privacy acts over the years that suddenly, you know, dropped in, in the middle of all this to actually understand what it actually means fundamentally and what their obligations are, that's going to take a while to happen, but yeah, whether they'll have enough funds to do something like a register, who knows.

Anthony Woodward

I think that's a really interesting area, but I wouldn't mind poking a little bit further, though, in your view, within the expansions of what's being proposed within the privacy at review report on the notion of fair and reasonable, because I think the sort of two sides to the conversation, the precedents that are going to be set by the courts themselves are really going to come down to that interpretation.

Anthony Woodward

I know we're both about to get over our skis a little bit, but where do you see that line of fair and reasonable? One of the things that we've seen is that it's changing really rapidly. Twelve months ago, if I had said to someone, how fair and reasonable is it that an organization holds a whole bunch of information, you know, your driver's license, what mortgage documents you have, what your credit rating is, is that fair and reasonable?

Anthony Woodward

There was probably, if I went and asked my parents, for instance, they would have went, Yeah, that's okay. I think most of what we've seen certainly here in Australia and to a lesser extent in the U. S. and other places is there's been a practice of that, and it's been okay. In the last 12 months it's not been okay.

Anthony Woodward

We've all been impacted in some way and that fair and reasonable test is very quickly changing. So, I'd be really interested in where you see that line getting to and a little bit of forecasting around what fair and reasonable is really going to mean.  

Yvonne Sears

Yeah, that's really interesting because it's only recently where individuals, so Joe Public, so to speak, have really understood the impact on themselves as to them giving out their information.

Yvonne Sears

Because I think there was also the assumption that there were good privacy practices in place in the first place, but the fact that they're now finding out, I've just been informed by this company who I haven't actually dealt with for the last 10 years has still got my information. That's not reasonable. I completely disagree. Why do they have that information of mine?

Yvonne Sears

And it's only when things like that happen and the public are asking those questions where we can actually get a gauge of what the public think is actually reasonable. In terms of giving that a time frame, I mean, it's really up to the organization themselves as to how long they keep that information for as to its value.

Yvonne Sears

What use is it to them to hold it longer than Two years after someone's left their organization, why are you holding on to it? The organization should have that conversation, you know, although it costs nothing to retain data anymore. You know, we've got the multi-terabytes now and it's a lot cheaper than it used to be to store information.

Yvonne Sears

So, they're not having that cost conversation, but they really should be having the data conversation. Why are we holding onto this information or processing it if it has no value to our business? Get rid of it. Don't make yourself a target.  

Anthony Woodward

Absolutely. One thing I say to people is storage is cheap and storing things is inexpensive.

Anthony Woodward

Having data is not cheap and having that data in a way that you're going to either not get hurt in the future or that you're using it is not cheap and people don't equate those two things. And I think that's something we really need to educate the community on this. They're very, they sound the same.

Anthony Woodward

They're actually really different in construct. But are there scenarios when a customer comes to you and asks for advice that you're thinking about today to get ready for the new Fair and Reasonable and get ready for the new situation? What would your advice be to anybody who turned up to your door?  

Yvonne Sears

I guess the fair aspect is, oh, the Fair and Reasonable aspect is, would a general customer.

Yvonne Sears

So, taking the standard client base, for example, would they really understand what information you're collecting and why you're collecting it? Would it be fair for you to collect copious amounts of information about an individual if they didn't really understand that? So, I think in last year's summit we were discussing what fair and reasonable was, and I think it came up that it has to be explained, plain English, to a 15 year old.

Yvonne Sears

And if they don't understand it, then it can't really be deemed as fair and reasonable approach to collecting that information. I think it comes back to transparency as well, in the fairness statement. Having that clarity about, okay, we need each of these pieces of bits of information for this specified reason.

Yvonne Sears

And that's your reasonability.  

Anthony Woodward

I'm pretty sure my 15 year old, he's a little bit older than 15, but both of mine at 15, it'd probably be better than my 80 year old grandmother. It's, you know, I understand the point you're making of that test, but that education of what digital sharing is. I literally did have to ring my, my grandmother and say, you shouldn't put that stuff on Facebook that she'd been recently doing because it is, there is a data thing.

Anthony Woodward

So, it's an interesting world we live in where I think there are a lot of misconceptions around privacy that That we have justifiable regimes today for the future and I think that's the really interesting aspects for me is that a lot of organizations are thinking very much in today's context and today's penalties and they're not thinking about tomorrow's problems in this area.

Anthony Woodward

Which they do in many other aspects of their business. We talked before about business continuity planning. We talked about disasters that have not happened and recovering from those. Yet, these sort of situations seem to be very much how do I address it today as opposed to how do I, what do I worry about for the future?

Kris Brown

I think we've sort of spoken a little bit about where your, your lead ins there are, and you, you sort of alluded to some of these that there, there is that common misconception of the public that the organizations that we are dealing with doing the right thing and we're finding out today that they're not.

Kris Brown

Did you want to give us, what are the other ones that you see that are those common misconceptions?  

Yvonne Sears

Other misconceptions, I guess, is the businesses think they're doing well, when in reality, if you just look under the hood and ask the question, okay, well, what's the lifecycle of personal information within the organization?

Yvonne Sears

So, how and where does it come in? Who has access to it? Where does it go? I mean, I think that's the greatest problem is organizations know that they're processing personal information, but they have no idea where any of it is. So, you know, it's a very interesting dilemma.  

Kris Brown

Yeah, does that align then to sort of information governance issues?

Kris Brown

Like, we sort of have a number of other guests on this podcast and we are talking about that convergence, right? Where it's like, you know, where are we converging between information governance, data management and obviously privacy? And the reason why they don't know where it's gone or what they've done, they're not particularly understanding the process of the life cycle of that piece of information.

Kris Brown

They're also not understanding when they should get rid of it because even for non-private information, they have this same problem.  

Yvonne Sears

Absolutely. Yeah. And it's always the question I ask is why are you collecting that information regardless of whether it's personal information or not? It's like, okay, well, why are you doing this process?

Yvonne Sears

What is the benefit? So, how does that information support your business process? And what happens to it? Where does it go from there? So, it's the, that standard life cycle. So, and who are the recipients of it at the other end? And then until you understand that end to end process for any piece of information within your organization, how do you ensure that you're protecting it properly?

Yvonne Sears

So, how do you ensure its quality? And how do you validate that the right people are accessing it when they need it? And I think it's at the heart of a lot of problems organizations have when there are assumptions between departments where they think, oh, that's not happening because I'm not seeing it.

Yvonne Sears

Let's create something. And you end up with two or three applications doing exactly the same thing. And they're just not talking to each other. It's like, so frustrating.

Kris Brown

Yeah, I think that challenge of... And it's a, it's a, it's a, it's a day of not knowing where the data is and can be linked to this immensely.

Kris Brown

And, and for me, it's heartening because I've been to a couple of IAPPs, the global conference of the US and we went to the event last year. I am, I'll give a quick plug. I am speaking at IAPP this year in Sydney. Awesome. But yeah, it's that key of. How do we ensure that organizations are doing just the simplest job here of good information or good data governance, good data management?

Kris Brown

If it's not there, it can't be breached. That's the really simple thing. Reverse is good information governance, good data governance across the board. It's always going to support good data privacy practices because you now know, you know, what you've got, how long you're going to keep it for. So, it's heartening for me to hear, you know, when I do talk to especially other members of IPP and yourself today, Yvonne, it's just.

Kris Brown

Hearing them sort of echo that same sentiment of. We need to get control of the data and we need to get control of the entire life cycle.  

Anthony Woodward

No, and I guess the final question I have is we, I think that most users would be interested in, what do you see the future as? Are you really positive this area is going to change, and we've got ways to go and things to fix?

Anthony Woodward

Or do you think there's going to be a lot of fines and penalties handed out before organizations make those changes?  

Yvonne Sears

We need a few sticks, especially what I've seen over the last few years. I mean, there has unfortunately been the attitude of they haven't got us yet. So, we'll just carry on as we are, because why do I suddenly have to spend multiple thousands, millions on fixing that issue that hasn't previously been an issue and I'm not going to ever get fined for.

Yvonne Sears So, yeah, it's just, I'm forever hopeful that we're going to get privacy right across Australia and have the right cultural attitudes in place to do the right thing, especially when it comes to the processing personal information. I'll hit on that one again, because it's about respecting the individuals at the end of the day.

Yvonne Sears

So, you're dealing with people's lives and in some situations, depending on the service being offered, can be really detrimental to an individual if their personal information is being disrespected. So, for me, I think there is that level of accountability, especially within organizations that process personal information to really be transparent in how it's handled, where it's going, having that confidence that they know exactly where it is and that it is protected. But I don't know. Like I say, I'm forever hopeful that we'll do the right thing, but we need some sticks to get us there. Be a few, few whippings. But yeah, we'll, we'll see, I guess.

Anthony Woodward

And it's not easy. I think it's one of those situations where we're tailing a set of legislations that is different to the individual, which is your point around getting it right. For the individual, but there are ways to do it. It's not impossible. So, I think the good news is it's solvable. It's just, are we going to go solve it?

Yvonne Sears

Yeah, definitely. And the other thing as well, I think if organizations look at data governance as we were saying before, properly, they can actually improve. Business processes and increase efficiency in how they operate. If they're busy processing data that they don't really know why they're processing it or we're collecting it just because it might be useful at some stage.

Yvonne Sears

It's like, is that really where you should be focusing or spending any type of energy on? Stop doing that and work out what is really adding value to your organization, tidy it up a bit and really get to grips with the flow of information in your organization.  

Anthony Woodward

So, to simplify, data governance equals better margins for all businesses. Oh!

Yvonne Sears Yeah, I’d like that.  

Anthony Woodward

I've been working on that for weeks.  

Yvonne Sears

Brilliant. It works in so many avenues. It's good.  

Anthony Woodward

No, fantastic. Really, it's been a fantastic conversation, Yvonne. And I've really enjoyed it. And I wish we could talk for many more hours. And I do hope we have the opportunity to do that when you're up in Sydney for IAPP.

Anthony Woodward

I know Kris is speaking. I will be around. We'll definitely want to grab you and buy you a coffee or, or beverage of choice.

Yvonne Sears

Yeah, that'd be excellent. Thank you. Thank you for having me.  

Anthony Woodward

And good people. But yeah, thank you very much for coming on today. I appreciate it. Thank you all for listening. I'm Anthony Woodward.

Kris Brown

And I'm Kris Brown, and we'll see you next time on FILED.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic