The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
The CDR Policy supports three of the 24 information security requirements. It sets out the privacy terms for the users of your service to understand their rights. You may find some of the best guides on creating a CDR Policy actually come from Europe’s General Data Protection Regulation (GDPR). The GDPR was a game-changing privacy regulation that sets the global standard for how to communicate and manage data subjects' privacy rights. It includes a range of principles that apply to best-practice privacy in all jurisdictions. For example; creating a policy that is in “plain English”, communicates the collection and use of data, and all of the data subjects rights including any limitations.
The CDR Policy itself is very simple, but some of the underlying design decisions and processes that are articulated in the policy can be subjective and complicated. The CDR Policy should answer the following questions:
- What is the scope and purpose of the policy?
- What data do you collect?
- What consent is required to use your service?
- Do you share the data with any third parties? who/why?
- What are the consumer's rights to access, modify, delete, transfer their data?
- How do consumers raise privacy-related requests and complaints?
- How can users withdraw consent, and what are the consequences of that?
The CDR policy requires publishing for easy public access. The best way to get started and look at examples is to view those of existing accredited data recipients which are available on their websites. Finding one with a similar product or service to your own would be a good way to get started. However, it’s important that all aspects of it are tailored to your privacy practices and environment to ensure it is accurate. You should also consider all of the above questions to ensure the policy is comprehensive.
The CDR Perspective
The CDR Policy is a requirement outside of the five governance requirements and 24 information security requirements. It also supports three of the 24 information security requirements by setting out the nature of data collected, users' rights and the manner of handling the data accordingly.
AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.