The CDR Policy

The Consumer Data Right (CDR) Policy is the equivalent of a Privacy Policy, specific to the context of the CDR. 


The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.


The CDR Policy supports three of the 24 information security requirements. It sets out the privacy terms for the users of your service to understand their rights. You may find some of the best guides on creating a CDR Policy actually come from Europe’s General Data Protection Regulation (GDPR). The GDPR was a game-changing privacy regulation that sets the global standard for how to communicate and manage data subjects' privacy rights. It includes a range of principles that apply to best-practice privacy in all jurisdictions. For example; creating a policy that is in “plain English”, communicates the collection and use of data, and all of the data subjects rights including any limitations.


The CDR Policy itself is very simple, but some of the underlying design decisions and processes that are articulated in the policy can be subjective and complicated. The CDR Policy should answer the following questions:

  • What is the scope and purpose of the policy?
  • What data do you collect?
  • What consent is required to use your service?
  • Do you share the data with any third parties? who/why?
  • What are the consumer's rights to access, modify, delete, transfer their data?
  • How do consumers raise privacy-related requests and complaints?
  • How can users withdraw consent, and what are the consequences of that?


The CDR policy requires publishing for easy public access. The best way to get started and look at examples is to view those of existing accredited data recipients which are available on their websites. Finding one with a similar product or service to your own would be a good way to get started. However, it’s important that all aspects of it are tailored to your privacy practices and environment to ensure it is accurate. You should also consider all of the above questions to ensure the policy is comprehensive.


Similar to a Privacy Policy, if material changes are required, these should be communicated to all active users. In some cases, it may be appropriate to request new consent of those modified terms. Unlike security and confidentiality, privacy is a subjective area. The “right” answer is determined by your users, which is usually a diverse bunch of people. It’s important to ensure their rights are effectively communicated, and processes are in place to manage those rights. Beyond achieving and maintaining your accreditation, privacy breaches are a major killer of reputation and customer trust.


The CDR Perspective


The CDR Policy is a requirement outside of the five governance requirements and 24 information security requirements. It also supports three of the 24 information security requirements by setting out the nature of data collected, users' rights and the manner of handling the data accordingly. 


About AssuranceLab


AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.


Some additional information in one line