What CISOs need to know about Australia’s consumer data right

Implementing the CDR is not so easy, initial testers have found, given the high standards imposed on securing consumers’ personal data and the still-early experience in applying them.

data security / padlock / binary code / digital display
Gremlin / Getty Images

The consumer data right (CDR), first mooted by the Australian federal government in 2017, lets consumers compare and switch providers more easily by giving them more control of their personal data. Banking is the first sector to roll out the CDR, with energy and telecommunications to follow.

The early experiences are revealing how CSOs may need to adapt security protocols to each sector to secure the flow of data.

For providers like banks and telcos, the CDR means a new personal data sharing regime, becoming accredited as a data recipient, and being subject to compliance checks—and potential enforcement actions for compliance failures. There are now 12 accredited data recipients, with Finder and SISS Data Services recently joining the list. In the case of banking, the four major banks are the first required to share data, to be followed by most authorised deposit-taking institutions (ADIs).

By accrediting providers, the CDR framework is designed to ensure secure data sharing between designated data holders and accredited data recipients. “The accreditation requirements ensure data recipients have appropriate controls in place to keep data secure,” an Australian Competition and Consumer Commission (ACCC) spokesperson told CSO Australia.

Security-driven CDR compliance

To continue reading this article register now

Microsoft's very bad year for security: A timeline