Don’t be the precedent! A survival guide to Notifiable Data Breaches
We don’t want to alarm you – it’s not the apocalypse - but, Australia’s Notifiable Data Breaches (NDB) scheme is here (from 22nd February 2018). Now, while its certainly not going to bring an end to the world, it could very well bring your organisation to its knees if you’re not prepared. KJR has some sage advice for last-minute scrambler, but first, some facts.
Until now, data breach reporting in Australia has been largely voluntary
From 22nd February 2018 legislative reforms have amended the Privacy Act 1988 to impose mandatory data breach notification on Australian Privacy Principle entities when there has been an ‘eligible data breach’.
What makes a data breach ‘eligible’?
An ‘eligible data breach’ occurs when there’s unauthorised access to, disclosure of or loss of personal information that is likely to result in serious harm to any of the individuals to whom the information relates.
Adopting a wait and see approach is no longer the viable option
Businesses must make notifications when they have reasonable grounds to believe that an ‘eligible data breach’ has taken place. Failure to comply exposes entities to penalties, including fines of $360,000 for individuals and $1.8 million for organisations. It is important to remember that businesses cannot fail to meet their data breach reporting obligations simply to preserve their professional reputation. You will be stung.
We recommend that businesses conduct a review to ensure compliance
The key to ‘surviving’ the NDB is to ensure you have in place reasonable measures to a) protect against a breach and b) identify a breach quickly if and when it happens. Start with the following:
- Really, how secure is your clients’ information? Review your processes and platforms and consider whether you need to increase or improve security.
- What contracts do you have with third-party service providers? They’ll need reviewing and, if necessary, you should seek legal advice to confirm whether they contain appropriate obligations and restrictions.
- Are your operational procedures such that they could adequately manage a data breach event? Best give them a review.
- Take some time to consider how a cyber insurance policy can complement your business risk management initiatives.
- Train your people. Your staff on the front line need to be aware of your Cyber Security and Privacy policies.
For more advice, access KJR’s Survival Cheat Sheet here.
And then there’s the GDPR!
This is the European Union implementing its biggest change in 20 years – and no, unfortunately Australian operations are not necessarily immune. From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will be in full flight.
So, who needs to pay attention?
Any organisation processing or controlling personal data of subjects in the EU, regardless of whether it’s taking place in the EU or not. Think about who you have in your systems, depending on your business, it’s probable that your database includes EU residents.
You do not want to be compromised
The fines in place for a GDPR breach are either up to 4% of annual global turnover, or €20million. This of course is for the very serious breaches, but with a 2% fine in place for failure to comply with records standards or not notifying of a breach, no-one is getting off lightly.
Make like a Boy Scout and “Be Prepared”
If we’ve made you nervous, we apologise, but in this case it’s better to be nervous than naïve. This post has really only scratched the surface of the new way Australian organisations need to be thinking about personal data. If this has highlighted any questions or concerns, KJR is here for you – please do contact us.
For more information on the scheme, we suggest paying a visit to the Office of the Australian Information Commissioner webpage here.