Due to the impact, unintended exposure of personal identifiable information can have, data protection is becoming an increasing part of regulatory compliance and both an organisational and individual responsibility.
Recent security breaches have caused many Australian businesses to review their information security stance, and governments, both here in Australia and overseas, have taken definitive steps to enact legislation to ensure that businesses put risk mitigation plans and breach notification plans in place.
Here in Australia, this comes in the form of the Notifiable Data Breaches (NDB) Scheme while earlier this month the General Data Protection Regulation (GDPR) came into effect across the European Union.
While the NDB Scheme effects many organisations in Australia, the GDPR impacts any organisation, even business outside the European Union (EU), that transacts with any European citizens, and therefore may hold information about them.
The two are aligned in the aims of strengthening personal information security and increasing transparency on data-related activities and incidents.
What are these regulations?
The Notifiable Data Breaches (NDB) Scheme came into effect on 22nd February 2018 and is an amendment to the Privacy Act 1988 (Cth). Effectively, under this scheme, any organisations that loses an individual’s personal data like health records, bank information, tax information, or credit card information, is then mandated to:
notify the Office of the Australian Information Commissioner (OAIC); and
the individuals that are impacted by the data breach.
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. GDPR is probably the most stringent set of data privacy compliance rules in the world and provides a level of protection and individual empowerment that are unprecedented. GDPR is being closely watched by many other countries, and a number have already announced that they intend to implement similar regulations in the coming months.
At their core, both NDB and GDPR are intended to allow affected individuals to take necessary action to protect their personal information, and both impose significant penalties on organisations and individuals for failing to comply.
The NDB scheme effects organisations such as federal government agencies, credit reporting bodies, health service providers, Tax File Number recipients as well as private and non-profit organisations with an annual turnover of $3 million or more.
The NDB Scheme only comes into effect for eligible data breachesinvolving personal information, where serious harm could occur to an affected individual.
Eligible data breaches arise when there is:
unauthorised access or disclosure of personal information or a loss of personal information that an individual holds;
it will likely result in serious harm to impacted individuals; and
the impacted individuals cannot prevent the likely risk of serious harm using some remedial action.
For an organisation, when an eligible data breach occurs, it will have to not only notify the impacted individuals, but it should also provide recommended actions on what to do, given that their personal information has been infiltrated, lost or stolen.
The consequences for failing to disclose a breach can be severe. Organisations that fail to report an eligible data breach, could be liable for fines of up to AU$2.1 million, depending on the level of significance or likely harm to an individual. While offending individuals could be liable for fines of up to AU$360,000.
Additional information about the NDB Scheme can be found in this OAIC webcast.
The European Union’s GDPR
GDPR has some similarities to the NDB Scheme, but it applies to organisations located both within the EU and to those outside the EU, if they provide goods or services to, or monitor the behaviour of, EU citizens. This means that regardless of the location of your company, if you are processing or monitoring an EU citizen’s personal data then you are impacted by GDPR.
GDPR defines the types of data that are eligible more specifically than the NDB Scheme, and include basic identity information such as name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health and genetic information, biometric, racial or ethnic data; political opinions and sexual orientation.
Some of the GDPR requirements that an organisation may need to comply with are:
Ensuring systems that collect or store data are secure by design;
Requiring permission from subjects for data processing;
Disclosing details of the data collected about an individual to that individual;
Allowing an individual, the right to be forgotten. IE have their data purged from an organisations system;
Allowing an individual to take their data with them, when they leave a service provider;
Providing data breach notifications;
Safely handling the transfer of data across borders; and
Appointment of a data protection officer (DPO) to ensure GDPR compliance.
While the NDB Scheme mandates notification of breaches, GDPR goes further and places timelines for notifications.
“the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
An organisation can face steep penalties for security breaches equivalent to 4% of annual global turnover or up to €20 million, whichever is higher. You can find out more about GDPR in this FAQ.
Action items you need to do now
If, like many organisations, you haven’t started complying with the NDB Scheme and GDPR, then its important to get started. Many organisations may still be unaware that they are impacted by these regulations and others are unlikely to be completely compliant, today, but are on the journey.
To get started:
Understand these regulations
Awareness is key to getting your internal decision-makers to understand the impact of these laws on the business. While it may consume time and resources from the company initially, it will pay off when it protects your business from future data breach incidences and saves money, time and most importantly, your company’s reputation.
Know what data you have and where you have it
You need to know where all your data is that might contain personal information. Many organisations have official repositories for it, but just as many have copies in other locations to meet other business needs.
Assign and train your people.
Have a focal point (a Data Privacy Officer) in your organisation for privacy issues, and get your people trained on the impact of these regulations. Educate your staff about the roles they play and the responsibilities they need to perform in line with your compliance efforts.
Create a data breach response plan.
Implement a response plan for when a data breach happens. This will give guidance to your internal team on the next steps to resolve it and provide recommended actions to affected individuals. When you're looking at where your data is stored, think about who you'd have to notify if a breach occurs. Do you have contact details for all your staff and customers? How is it kept up to date?
Stay risk focussed.
Take a risk assessment to estimate the impact of risks to your business. Ensure that the measures you have in place or are putting in place align with NDB and GDPR’S requirements, but also ensure that they are meeting the other security risks facing your business. Protection of intellectual property, disruption of your operations from ransomware and financial loss through business email compromise remain significant issues as well.
Do you need assistance to become compliant?
If you are one of the many organisations that are struggling with complying with the regulations and their requirements, we can help you with assessing your security risks and creating response plans. Contact us today.
If you find this article useful and helpful, please share this with your friends or colleagues on your favourite social media platform so they can also benefit.
‘Serious harm’ is not defined in the Privacy Act, but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.