The Consumer Data Right (CDR) Policy is the equivalent of a Privacy Policy, specific to the context of the CDR.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
The CDR Policy supports three of the 24 information security requirements. It sets out the privacy terms for the users of your service to understand their rights. You may find some of the best guides on creating a CDR Policy actually come from Europe’s General Data Protection Regulation (GDPR). The GDPR was a game-changing privacy regulation that sets the global standard for how to communicate and manage data subjects' privacy rights. It includes a range of principles that apply to best-practice privacy in all jurisdictions. For example; creating a policy that is in “plain English”, communicates the collection and use of data, and all of the data subjects rights including any limitations.
The CDR Policy itself is very simple, but some of the underlying design decisions and processes that are articulated in the policy can be subjective and complicated. The CDR Policy should answer the following questions:
The CDR policy requires publishing for easy public access. The best way to get started and look at examples is to view those of existing accredited data recipients which are available on their websites. Finding one with a similar product or service to your own would be a good way to get started. However, it’s important that all aspects of it are tailored to your privacy practices and environment to ensure it is accurate. You should also consider all of the above questions to ensure the policy is comprehensive.
Similar to a Privacy Policy, if material changes are required, these should be communicated to all active users. In some cases, it may be appropriate to request new consent of those modified terms. Unlike security and confidentiality, privacy is a subjective area. The “right” answer is determined by your users, which is usually a diverse bunch of people. It’s important to ensure their rights are effectively communicated, and processes are in place to manage those rights. Beyond achieving and maintaining your accreditation, privacy breaches are a major killer of reputation and customer trust.
The CDR Perspective
The CDR Policy is a requirement outside of the five governance requirements and 24 information security requirements. It also supports three of the 24 information security requirements by setting out the nature of data collected, users' rights and the manner of handling the data accordingly.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.