View
129
Download
1
Category
Tags:
Preview:
Citation preview
PWC Presentation - 11 September 2014
Getting Your House in Order
Eugene Foo
Deputy General Counsel
GE Capital
eugene.foo@ge.com
(03) 8807 6970
Agenda
• GE Capital in Australia
• Project Implementation
• Embedding Privacy
• Review & Audit
• Practical Tips
• Q&A
LegalWise Seminar11/27/2014
GE Capital’s History in Australia
• GE Capital is a division of General Electric
• Began in 1878 when Thomas Edison established the Edison Electric Light Company
• GE has been in Australia since 1896, Brisbane Tram Company and PyrmontBridge
• GE Capital has been active in Australia since 1995 is one of Australian’s leading specialist commercial and retail financiers
LegalWise Seminar11/27/2014
Project Structure
• Scope: Consumer and Commercial businesses
• Division between APP and Comprehensive Credit Reporting (CCR) Part IIIA Project Streams
• Coordination through PMO – synergies and opportunities for simplification and cost savings identified
• External legal advice, industry bodies and peer groups engaged
LegalWise Seminar11/27/2014
Business Engagement
• Identification of business benefits and risks to GE
• Benefits of CCR to GE advocated internally
• Early engagement with Privacy reform through workshops and seminars
• Top down commitment and engagement
• Business employees seconded to Project
LegalWise Seminar11/27/2014
Key Areas Considered
• APP / NPP gap analysis
• Customer touch points analysis (Collection & Notification)
• Incorporation of privacy assessments into project methodology
• Info Sec requirements and servicing contracts review
• Collateral (Disclosure documents, EPP, CRP & IPNs)
• Processes & Procedures (Use & Purpose)
LegalWise Seminar11/27/2014
Key Challenges
• Lack of “bright line” tests in the APPs
• Parliament’s intention as evinced in extrinsic material v language of the Act
• Reforms required great deal of analysis, external legal advice and benchmarking
• Timing of key legislative pieces (CR Code, Guidelines) – Project flexibility was key
• Resourcing – Surge resources required
LegalWise Seminar11/27/2014
Key issues
• APP 5 Notification:
• whether notice should be given: what PI is collected, use of PI and consequences for individual
• when to notify, at or before the time of collection or as soon as practicable after
• documentation of reasoning and positions; and
• development of standard notices
• Privacy and GE’s retail partners and intermediary network
• Overseas disclosure
• Identification of cross border disclosure
• Risk / effort in implementing safe harbour
• Direct Marketing
• Customer Lists – procedures for use and notification of source
• Implementation of Opt Out – entity versus whole of group / brand
LegalWise Seminar11/27/2014
Key issues - continued
• Key Part IIIA issues:
• EDRS requirements for Commercial Credit Providers
• Security of CEI
• Access, corrections and complaints handling
• Imposing limits of CEI
• Prohibition on use of CEI for direct marketing purposes
LegalWise Seminar11/27/2014
Governance & Culture
• GE subject also to Global Privacy Standards
• Appointment of Privacy Officer to drive governance and culture
• Culture (TCF) & Open Reporting
• Training
LegalWise Seminar11/27/2014
Processes & BAU Compliance
• Review and amendment of processes
• Review and amendment of impacted collateral (EPP / CRP, T&Cs, COU, emails, letters, forms etc)
• Layer 1 & 2 Monitoring
• Privacy specific controls (e.g. evidencing notification, due diligence for customer lists, direct marketing opt out)
• Incident and breach reporting and management
• Formal handover to BAU / Business with risk register
LegalWise Seminar11/27/2014
Review and Audit
• Compliance testing and review after implementation
• Implementation Audit
• What were the lessons learnt?
• More senior leadership engagement to make key decisions and set direction
• Earlier engagement with external legal required
• Earlier and more frequent engagement with regulators and industry bodies
• More detailed business requirements to flush out issues earlier
• Need to have up to date “as-is” process documentation / knowledge
LegalWise Seminar11/27/2014
Some Practical Tips & Takeaways
• APP are focused on principle and spirit, important to look beyond the letter of the law and manage reputational and broader risks arising from privacy
• Understanding the position of peers and industry bodies and the OAIC critical to enable your organisation to develop and take a position on privacy issues
• Early engagement and continued liaison with law reform process, industry bodies and Government / Regulators
• Understanding and articulating benefits key to business awareness, engagement and commitment
• Look for opportunities to simplify and improve
Recommended