Yeah, we know. Thinking about data governance, policy awareness, and privacy compliance can be as much fun as anticipating a wet weekend spent doing your tax return.

But the reality is you’ve got to get to grips with them for the sake of your business and your customers. Just like an ignored tax return, putting your head in the sand when it comes to data governance can cost you dearly.

So, let’s break it down and simplify what you need to do.

Data governance – what is it exactly? (And why should you care?)

In a sentence: Data governance is how your business organises, controls, and protects its data.

When you have data governance, you have a set of rules that lays out:

  • What data you collect (for example, customers’ home or email addresses, credit ratings, etc)
  • Who in the business has access to it (because you don’t necessarily want your receptionist wandering through customers’ medical notes!)
  • How you can use it (no, you can’t sell or loan it to another business)
  • How you keep it secure and accurate (unlike a spreadsheet with customer records going back 10 years that’s sitting on someone’s laptop)

With good data governance, good things happen: your data is reliable, safe, and used properly. All of which helps you make better decisions and avoid compliance problems (like maintaining privacy!).

How can data governance save your privacy bacon?

Good question! Data governance helps you avoid data breaches and privacy issues – and stay compliant with Australian laws like the Privacy Act 1988 – the primary data protection law in Australia. While the Privacy Act has been amended several times since it was introduced in 1989, it still basically dictates how you can collect, process, and use (or retain) personal data from people in Australia.

Note: If your turnover is less than $3M, you’re exempt from following the Australian Privacy Act 1988 – unless you’re trading in personal data for benefit or collecting health data.

But if you’re not exempt and breach the Privacy Act, then beware!

Penalties can range from $2.5 million for individuals to up to $50 million for companies, or 30% of your total sales accumulated while violating the law. And if you do it again – or expose large volumes of data – the fines can be even higher.

Those sorts of fines aren’t empty threats either. For example, just last year, Australian Clinical Labs was fined $5.8 million for failing to protect sensitive patient data (from 223,000 individuals) and not responding properly to a cyberattack.

This was the first fine issued under the most recent iteration of the Privacy Act – so it’s a fair warning that data governance is being taken very seriously.

How do policy awareness, privacy compliance, and data governance fit together?

Data governance, policy awareness, and privacy compliance are all connected – but they play different roles. Think of it this way:

  • Data governance = your overall framework of policies (rules), standards and controls
  • Policy awareness = making sure your people actually understand the rules so they have no excuse to ignore or break them!
  • Privacy compliance = the outcome of sticking to the rules (meeting your legal requirements)

Policy awareness is what makes your rules real. Like any rules, policies only work if people follow them. So, policy awareness involves training your staff, clearly communicating what you expect of them, and implementing processes into daily work routines that keep everyone on track.

And when you do that – ta dum – implementing and following those rules means your business will handle your data legally and responsibly. In other words, you achieve privacy compliance!

What can go wrong?

Let’s say your policy is: “Customer data must only be accessed by authorised staff.”

Your data governance defines and approves that rule. Your policy awareness makes sure everyone understands and follows that rule. And compliance ensures it meets our privacy laws (and you can prove it if audited).

Where can it go wrong? Say your staff awareness is weak, and when the pressure is on, a temporary intern is asked to dive into and copy your payroll data and share it in an ‘all-company’ email. In that case, you’ve clearly failed the compliance test – even though in theory you have a strict policy in place.

The upshot is that governance without awareness doesn’t work (it’s just a dusty, old, forgotten document full of rules that no one notices or follows). And compliance without governance isn’t sustainable (without policies, you don’t have a consistent way to live up to your requirements – you’re just winging it!)

Together, they’re what turns data governance from a document into something that actually protects your business.

What next?

With clear rules in place, you can be sure you’re using your data securely and legally. But we get that you often don’t have the people or time to sort out your data governance on your own.

The good news is that Colton’s got years of expertise in implementing data governance frameworks and protecting sensitive information. We know how it all fits together, how to set up controls to keep you on the straight and narrow, and how to help your people understand the dos and don’ts of your policies.

Give us a call. We’ve got this. PS: It’s a firm ‘no’ to tax returns, though!

Ask about our free data governance consultations!