Login
Better compliance frameworks can help avoid stricter regulation
If businesses do not want regulators to prescribe solutions for them, they have to fix problems themselves, says one GC.
Jerome Doraisamy
When cars were first introduced, Marion Hemphill mused, there were no specific speed limits, other than a need to drive at a reasonable pace.
Strict road rules are, almost always, a good thing. But there are other instances, Ms Hemphill argued, whereby businesses should determine the best paths forward so as to avoid the need for regulators to step in and decide what should happen.
Speaking last week at the 2020 Corporate Counsel Summit, Ms Hemphill – who is the general counsel and chief privacy officer at Australian Red Cross Lifeblood – said she is concerned that Australia’s regulatory future may see a trend towards one-size-fits-all approaches, which “might not allow businesses to generate the same benefits” as others.
“I’m suggesting that we don’t necessarily want to have heavy regulation. And, if that’s the case, then entities have to perform better within the current framework and the current regulations. If we don’t want regulators to prescribe a solution for us, then we have to fix the problem ourselves,” she outlined.
Businesses haven’t been suitably transparent with notifications about data and privacy breaches, Ms Hemphill referenced as an example, “and as a result, the government introduced the mandatory breach notification requirements in the Privacy Act”.
“It might’ve been better at businesses that had the opportunity to appropriately manage this themselves, but they didn’t grasp that opportunity. And so, it was taken from them quite fairly,” she said.
As a result, a key question for businesses looking ahead – at least with regards to the newly announced review of the Privacy Act – “will be how to create a compliance framework that ensures that they meet and they can also demonstrate that they meet the regulatory requirements appropriately, and that they’re meeting the objectives of the Privacy Act”, Ms Hemphill surmised.
This is where we lawyers come in, she said.
“Obviously, it’s not practical for internal or external legal teams to advise on every occasion of collection of information or use of information. So, what we need to do is to help our clients build their own framework to determine what is needed. And if we don’t, it’ll be regulated for them,” she warned.
“Each entity collecting, using, disclosing information needs to build its own set of rules for what it can do and it can’t do. It needs to build a process for ensuring compliance and it needs to be transparent with stakeholders. Essentially, they need to decide on what is reasonable upfront, then just stick to it.”
Moreover, Ms Hemphill added, they need to tell consumers what they’re doing.
“It’s not enough for us to train our clients into what the regulation says. I think we have to translate it for them and to allow them to have a translation within their own business operations. Training people isn’t enough because it’s abstract and it relies on memory and attention. It can be hit and miss,” she outlined.
“Some people will respond quite well and some won’t, but also the training might be a very long way away from when you actually make the choices. And so human memory is just not designed to work that way. Instead, I think a better way is to make it easier to make the right choice by actually not requiring any choice to be made at all.”
An effective internal regulatory compliance framework, Ms Hemphill advised, “takes out the need to have individual decisions, and instead has cleared guard rails from the beginning of any project or matter that involves personal information or data”.
“It’s not an easy task, but if it’s included in the design or project of a matter, it’ll be more effective,” she said.
“To return to my analogy about cars, it’s the difference between telling people to drive at a reasonable speed and driving at 50 kilometres per hour, but the business is the one choosing that speed restriction based on its own conditions in its environment to reach its outcome, rather than waiting for it to be imposed by government.”
To view this full session, and others from the 2020 Corporate Counsel Summit, click here.
Jerome Doraisamy
Jerome Doraisamy is the editor of Lawyers Weekly and HR Leader. He has worked at Momentum Media as a journalist on Lawyers Weekly since February 2018, and has served as editor since March 2022. In June 2024, he also assumed the editorship of HR Leader. Jerome is also the author of The Wellness Doctrines book series, an admitted solicitor in NSW, and a board director of the Minds Count Foundation.
You can email Jerome at:
