Unlock open data with CDR access

The Consumer Data Right (CDR) is an Australian Government initiative that empowers organisations to securely access and utilise valuable consumer data. By achieving CDR compliance, your organisation can access this data to offer more competitive products and services, enhance customer engagement and drive innovation. CDR enables data-driven decisions, helping your business stay ahead in a competitive market.

Since the legislative updates in October 2021, there are now five access models for the CDR. If you qualify as a 'Trusted Advisor', or only need to use 'CDR Insights', then you do not require any accreditation to access CDR data within that scope. However, CDR Insights is very limited.

There are three models that allow complete data access; Unrestricted, Sponsored, and Representative. Unrestricted provides the most flexibility; you do not need to rely on another third party for your access and with full accreditation you can provide access to others using the sponsored or representative models.

Representative access is appealing for faster access when you opt to use a third party to collect the data for you; usually a data intermediary. They can act as your Principal which means they are liable for your compliance and you don't need to be assessed by the ACCC directly. AssuranceLab works with these Principals as a partner to assess compliance and support the onboarding process.

Sponsored access is similar to unrestricted but does not rely on a formal ASAE 3150 report. It still requires assessment by the ACCC so it is slower than representatives but may be lower cost than unrestricted by saving on external audit costs. This model has not been broadly adopted.

We recommend either Unrestricted to have complete flexibility and safeguard your business continuity, or Representatives access if you want to fast-track your access.

The CDR legislation includes a broad set of rules that apply to those accessing the CDR data. There are general compliance requirements around obtaining, tracking and updating consent from consumers, making available a public CDR policy for them to understand their rights and the use of data, and who and how the data can be shared with third parties.

A big part of the rules is the information security requirements that are prescribed in Schedule 2, Part 1 and Part 2. Part 1 requires that you implement an effective information capability and governance, that you define the boundaries of your CDR Data Environment, assess your risks and controls in that environment, and test your incident response capability. 

Part 2 then goes into greater detail on specific expected information security controls including access control, network security, data loss prevention, managing information assets through their lifecycle, anti-malware protections and human resources security. These areas very closely relate to many other global standards like SOC 2 and ISO 27001, that can be effectively combined to achieve multiple compliance goals without duplicating the efforts.

Unrestricted accreditation requires an ASAE 3150 report, that is similar to the more globally prevalent SOC 2 report. A Type 1 report is sufficient for initial accreditation, and then a Type 2 report is required every two years thereafter to maintain accreditation.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the CDR criteria.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period of 12 months to show your systems and processes have been operating consistently to satisfy the CDR criteria.

The timeframe to access CDR data can vary a lot based on the access models described above. The two most common access models are Unrestricted and Representative.

Unrestricted access typically takes 4-9 months. This is made up of a period to implement and achieve compliance with the information security requirements (1-3 months), the ACCC's assessment and granting accreditation (3-5 months), and then a period to test and go live with CDR data (~1 month).

Representative access can be much faster than Unrestricted but still relies on achieving a level of compliance that satisfies the CDR Principal's requirements. We see as little as a few weeks to access CDR data under this model when compliance automation is used combined with a well-defined approach from our intermediary partners.