What is the CDR Regulation for Australia?
In early May, 2020, the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) released their Compliance and Enforcement Policy for the Consumer Data Right (CDR), which was announced in November of 2017.
The objective of the CDR is to provide consumers with the ability to efficiently and conveniently access their personal data held by businesses, and to authorise the secure sharing of that data to trusted and accredited third parties. The CDR gives individuals a right to access their 'personal information', and the right of data portability found in the European General Data Protection Right (GDPR).
Related reading: What is GDPR?
Who Must Comply with the CDR and When?
Beginning July 1, 2020, the ACCC is requiring the banking, energy and telecommunications industries to make relevant data available to customers, with a temporary exception granted to the banking industry. The CDR is impacting industries economy-wide, sector-by-sector.
In light of the impacts and challenges of the COVID-19 pandemic, the ACCC has granted a temporary three-month exemption to financial services providers. The CDR regulation for banks and other financial institutions will now begin on Oct. 1, 2020.
Are Safeguards in Place to Protect CDR Data?
Because there is more access to data and more data files being transferred, more safeguards to protect this data is required. Regulators will deploy a range of tools to monitor and access the available information to ensure consumers have their data security and integrity in place. The goal is to prevent breaches of the CDR’s obligation through compliance management and enforcement.
Businesses need to consider how it handles the data collects, including how the data is collected, stored, used or disclosed, and how it will make consumer data available to its customers and their nominated recipients.
Special care of internal systems, processes and compliance will help prevent breaches such as:
- Repeated refusal to disclose consumer data
- Misleading or deceptive conduct
- Data collection without valid consent
- Intentional use or disclosure of data inconsistent with consumer consent
- Insufficient security controls to protect CDR data
Related Reading: What are the Secure Messaging Standards in Australia?
How Can CDR Participants Comply with the Regulations?
Businesses under the CDR protocols should consider:
- Reviewing their policies and processes for privacy and data handling
- Training staff on their CDR obligations and how to manage the risks involved with handling consumer data
- Establishing breach notification procedures
One way to ensure files are kept secure both at rest and while in transit is to incorporate a managed file transfer system, like GoAnywhere MFT. This secure, automatic software can protect data by:
- Controlling access to files and data
- Encrypting data
- Establishing the correct security settings when sending and/or receiving highly confidential emails
- And more
Learn about how managed file transfer can offer organizations the technical security measures needed to comply with the CDR.