The amendment to the Australian Privacy Act around Notifiable Data Breaches (NDB) became effective from 22 February 2018.
This means that new notification procedures are in place in the event of a data breach. This notification to the affected individuals must include recommendations on the steps they should take in response to the breach.
Disclosure has to be prompt – within 30 days of discovery, and the Australian Information Commissioner must also be notified. This legislation impacts many organisations, those with more than A$3m ($2.4m) in revenue per annum.
In May 2018, the General Data Protection Regulation (GDPR) will also come into force which will require organisations around the world that hold data belonging to individuals from within the EU to provide a high level of protection and explicitly know where data is stored.
In the case of GDPR, organisations that fail to comply with the regulation could be penalised up to €20m ($24.6m) in fines, or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
There is growing awareness among businesses regarding the consequences of a data breach as high profile cases continue to make news headlines. A serious data breach will impact the brand, reputation and share price and therefore corporate leaders are now making cyber-security and data protection a business issue not just a technical one. With new regulations such as GDPR and NDB, there will be even more pressures to businesses.
To better manage data protection and comply with new regulations, businesses should work with legal teams and compliance officers to keep themselves up to date. They should look for coordinated approaches for collecting, monitoring and reporting data. The World Law Group, for example, produces the Global Breach Guide to Data Breach Notifications. While not entirely up to date, the document outlines some of the general reporting requirements in over 60 countries.
Businesses can also expect more reporting requirements. Businesses trading in the UK should also consider the implications of the Data Protection Bill to the EU’s GDPR. The implications are still unclear, but early drafts suggest that consumer protection and reporting could be even more stringent.
A national compliance law often has global implications too. Some EU countries, such as Germany, Austria and the Netherlands, have additional compliance obligations above and beyond GDPR.
Crucially, businesses need to keep employees aware of the compliance requirements. While the C-Level executives and board members are taking on a fiduciary responsibility for cyber-security, compliance must be improved through consistent end-user training at all levels. This can help ensure employees handle customer data appropriately.
Employees should also have better means to identify potential cyber-attacks such as phishing attacks. Businesses will need to offer clear guidelines on BYOD, use of applications not formally sanctioned by IT and use of social media. They should also consider new threat vectors posed by adversaries who may look to exploit disclosure rules for financial gain.
For more: click here.