It is important for your business to understand the Consumer Data Right (CDR) and how it will impact on your business. Initially, the CDR will apply to the banking sector, then rolled out to other sectors thereafter. This article looks at:

  • how the CDR applies to your business;
  • how to become accredited; and 
  • your ongoing accreditation obligations.

What is the Consumer Data Right?

The CDR is a new consumer and privacy law. It is being rolled out across the Australian economy in stages. It will first apply to the banking sector, then the energy sector, followed by the telecommunications sector and any sectors designated by the government thereafter. 

The CDR will provide consumers with a better choice when both selecting and switching providers. This is because it will allow product data to be used on comparison sites. This provides consumers with:

  • the ability to request and receive their consumer data in a usable format; and 
  • the right to request that participating CDR business transfer their data. 

To protect consumer data, the CDR also includes privacy safeguards. A consumer is any reasonably identifiable individual or business under the CDR.

Does the CDR Apply to My Business?

At first, the CDR will only apply in the banking sector. Therefore, if your business is not part of the banking sector or closely related to the banking sector, the CDR is not applicable to your business.

If your business is part of the energy or telecommunications sectors, then it is worth learning more about the CDR in preparation for its application to your sector.

If your business is in, or closely related to, the banking sector then you should consider whether:

  • your business is a data holder; or 
  • you should apply to become a data recipient.

Currently, the Big 4 banks are the only data holders under the CDR. This will be extended to smaller deposit-taking institutions. 

If your business would benefit from receiving consumer data related to financial products, then you may wish to apply to become an accredited data recipient. For example, if you offer a fintech product it may be convenient for your customers to be able to request that their data be sent from their bank to your business. 

How Can My Business Become Accredited?

Becoming accredited requires your business’ primary contact to submit an application via the accreditation portal and to meet certain criteria in that application.

Therefore, the first step for your business is to assess whether you can meet the accreditation criteria and whether the benefit of doing so is worth any costs you may incur. You must also take into account the ongoing compliance obligations attached to accreditation. Failure to comply with the CDR can result in penalties imposed on your business by the regulators.

If you decide to apply to become accredited, unless exempt under the CDR rules, you will need to demonstrate, at a minimum, that you are a fit and proper person and that you have:

  • the required information security to protect CDR data from misuse, interference, loss, unauthorised access, modification or disclosure;
  • an assurance report prepared in accordance with the Australian Standard on Assurance Engagements 3150 Assurance Engagement on Controls;
  • an internal dispute resolution process that meets the requirements in the CDR rules.
  • adequate insurance, or a comparable guarantee, to counter the risk if you breach your CDR data management obligations and a data breach occurs. 

You must also be a member of a recognised external dispute resolution scheme in relation to CDR consumer complaints. For example, for the banking sector, the requirement is to be a member of the Australian Financial Complaints Authority.

You should carefully consider the criteria for accreditation as set out in the CDR rules before applying.

What Are My Business’ Ongoing Accreditation Obligations?

Accredited businesses will have ongoing obligations. At a minimum, you will be required to:

  • have a customer-facing CDR policy in place;
  • keep records of your receipt and use of CDR data;
  • report to the regulators, including in respect of IT security incidents; and
  • submit to audits as required.

You may also take on some data holder obligations, by sharing particular CDR data at particular times.

To ensure you are meeting your ongoing requirements, you should carefully review these requirements. You should then put in place practical procedures and policies so your staff know how to comply with the CDR. Your staff will also benefit from training to supplement your internal documentation. This will be most relevant for staff in:

  • customer-facing roles, which are required to communicate clearly and accurately with customers about the CDR;
  • legal, compliance and risk roles, which are required to guide and monitor the business’ compliance with the CDR; and
  • technical IT roles, which are required to facilitate the technical security requirements and the receipt, storage and transfer of CDR data.

Key Takeaways

If you are from the banking, energy and telecommunication sectors, it is essential to understand how the CDR applies to you. If your business can become accredited and would benefit from doing so, you will need to consider:

  • the application process; 
  • the criteria you must meet; 
  • how to manage the application process; and 
  • your ongoing compliance obligations internally. 

A LegalVision commercial lawyer can help you understand the requirements, and assist in preparing documentation such as your external CDR policy. Just call 1300 544 755 or fill out the form on this page.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer