pwc presentation - getting your house in order

PWC Presentation - 11 September 2014

Getting Your House in Order

Eugene Foo

Deputy General Counsel

GE Capital

[email protected]

(03) 8807 6970

Agenda

• GE Capital in Australia

• Project Implementation

• Embedding Privacy

• Review & Audit

• Practical Tips

• Q&A

GE Capital in Australia

LegalWise Seminar11/27/2014

GE Capital’s History in Australia

• GE Capital is a division of General Electric

• Began in 1878 when Thomas Edison established the Edison Electric Light Company

• GE has been in Australia since 1896, Brisbane Tram Company and PyrmontBridge

• GE Capital has been active in Australia since 1995 is one of Australian’s leading specialist commercial and retail financiers

Project Implementation


Project Structure

• Scope: Consumer and Commercial businesses

• Division between APP and Comprehensive Credit Reporting (CCR) Part IIIA Project Streams

• Coordination through PMO – synergies and opportunities for simplification and cost savings identified

• External legal advice, industry bodies and peer groups engaged


Business Engagement

• Identification of business benefits and risks to GE

• Benefits of CCR to GE advocated internally

• Early engagement with Privacy reform through workshops and seminars

• Top down commitment and engagement

• Business employees seconded to Project


Key Areas Considered

• APP / NPP gap analysis

• Customer touch points analysis (Collection & Notification)

• Incorporation of privacy assessments into project methodology

• Info Sec requirements and servicing contracts review

• Collateral (Disclosure documents, EPP, CRP & IPNs)

• Processes & Procedures (Use & Purpose)


Key Challenges

• Lack of “bright line” tests in the APPs

• Parliament’s intention as evinced in extrinsic material v language of the Act

• Reforms required great deal of analysis, external legal advice and benchmarking

• Timing of key legislative pieces (CR Code, Guidelines) – Project flexibility was key

• Resourcing – Surge resources required


Key issues

• APP 5 Notification:

• whether notice should be given: what PI is collected, use of PI and consequences for individual

• when to notify, at or before the time of collection or as soon as practicable after

• documentation of reasoning and positions; and

• development of standard notices

• Privacy and GE’s retail partners and intermediary network

• Overseas disclosure

• Identification of cross border disclosure

• Risk / effort in implementing safe harbour

• Direct Marketing

• Customer Lists – procedures for use and notification of source

• Implementation of Opt Out – entity versus whole of group / brand


Key issues - continued

• Key Part IIIA issues:

• EDRS requirements for Commercial Credit Providers

• Security of CEI

• Access, corrections and complaints handling

• Imposing limits of CEI

• Prohibition on use of CEI for direct marketing purposes

Embedding Privacy


Governance & Culture

• GE subject also to Global Privacy Standards

• Appointment of Privacy Officer to drive governance and culture

• Culture (TCF) & Open Reporting

• Training


Processes & BAU Compliance

• Review and amendment of processes

• Review and amendment of impacted collateral (EPP / CRP, T&Cs, COU, emails, letters, forms etc)

• Layer 1 & 2 Monitoring

• Privacy specific controls (e.g. evidencing notification, due diligence for customer lists, direct marketing opt out)

• Incident and breach reporting and management

• Formal handover to BAU / Business with risk register

Review and Audit


Review and Audit

• Compliance testing and review after implementation

• Implementation Audit

• What were the lessons learnt?

• More senior leadership engagement to make key decisions and set direction

• Earlier engagement with external legal required

• Earlier and more frequent engagement with regulators and industry bodies

• More detailed business requirements to flush out issues earlier

• Need to have up to date “as-is” process documentation / knowledge

Practical Tips


Some Practical Tips & Takeaways

• APP are focused on principle and spirit, important to look beyond the letter of the law and manage reputational and broader risks arising from privacy

• Understanding the position of peers and industry bodies and the OAIC critical to enable your organisation to develop and take a position on privacy issues

• Early engagement and continued liaison with law reform process, industry bodies and Government / Regulators

• Understanding and articulating benefits key to business awareness, engagement and commitment

• Look for opportunities to simplify and improve


Q & A

Any Questions?

pwc presentation - getting your house in order

Business

ge key

ge ge capitals history

ge title

ge employs

ge hopes

ge project structurescope

ge project implementation

ge agendage capital