In recent years, everyone’s opinions of data have shifted - everyone, not just businesses, are more aware of their privacy and how their personal data is protected. Rightfully so! Data is powerful and it’s appropriate that laws and attitudes reflect that power.
Two thirds of NSW Government agencies aren’t safeguarding their data by monitoring the activities and accounts of people with access to data - it’s this kind of oversight that has prompted new laws. 2018 is seeing some big changes in data and privacy laws all over the world, so how does it affect you and your business?
The Notifiable Data Breach Scheme
The Notifiable Data Breach (NDB) scheme was introduced on the 23rd February 2018, a year after the law was passed under the Australian Privacy Act (1988). The scheme requires agencies and organisations to notify individuals if their personal information has been involved in a data breach which is likely to result in harm to individuals. This harm can be psychological, financial, emotional, reputational.
What is a data breach?
Data is everywhere, so a data breach can be anything from a mobile device containing personal information being stolen to a database being hacked or it could be as simple as personal or sensitive information being accessed by the wrong person mistakenly.
A data breach occurs when there has been:
- Unauthorised access
- Unauthorised disclosure
- Loss of personal information
The cause of all these data breaches? It can be errors in technology of course, but since the NDB was introduced, 51% of the reported data breaches were caused by human error. It’s always important to consider the possibility of human error and to safeguard against it.
What do agencies and organisations need to do?
With the fines for not appropriately and efficiently reporting at $360,000 for individuals and $1.8 million for organisations, the stakes are high. Fines of that size are enough to send many organisations out of business but unfortunately, the fines are not the only price you pay - your business can be majorly interrupted, there will be legal costs, incident response costs and a whole host of other incidental costs. However, it’s not just financial costs that can send you into a downward spiral, it’s the reputation loss too. According to Experion, the value of the brand and reputation of an organisation can decline as much as 31% after a data breach.
Protect yourself and the data you hold against any breaches by putting security procedures into place that restrict who can see personal data and ensure that you have a simple, straightforward process that you can follow if a breach ever does occur.
For more information on how to notify, visit the Office of the Australian Information Commissioner’s (OAIC) website.
The European Union General Data Protection Regulation (GDPR)
The introduction of the GDPR on the 25th May 2018 will have an effect on Australian agencies and organisations, despite it not being an Australian law.Any Australian company that holds the personal data of EU residents, whether they are customers of that company or employees within that company, is impacted by the GDPR.
This includes any Australian businesses:
- With an office in the EU
- That track EU individuals on the internet and use data processing to profile individuals to predict their personal preferences and behaviours
- With customers or users in the EU
- Who target EU customers
- With EU employees
The GDPR requires these businesses to document all the data, declare where it is stored and demonstrate a legal basis as to why they require any personal data. The GDPR also requires all these businesses to review how their data is secured and the process that needs to be undertaken, should there ever be a breach.
The fines for non-compliance are not insignificant, either. Fines are not automatic, they are decided on a case-by-case basis using a range of factors to decide which category the non-compliance falls into.
- Category 1: Fines of €10 million or 2% of global revenue - whichever is highest.
- Category 2: Fines of €20 million or 4% of global revenue - whichever is highest.
So, what should your organisation be doing to protect data?
- Be aware of any EU data your organisation holds and know how secure it is.
- Get familiar with the value of your data and complete risk assessments.
- Categorise your data from most to least valuable (Corporate IP, Customer IP, Employee IP, Internal only, Public etc).
- Educate your staff to ensure each person within your organisation is aware they have their own role to play in Cyber Security and Secure Information Management - ensure they have access to policies, processes and tools to safeguard data and reduce risks of breaches.
- Know your plan for notifying parties in the event of a data breach.
At Berkeley, we develop and deliver secure data protection and privacy solutions to government and commercial organisations to ensure that all organisations are complying with all relevant data and privacy laws. Get in touch with us today to find out how we can provide you with the right data protection solution for you.