The introduction of the Notifiable Data Breaches (NDB) scheme last month will shine a spotlight on ICT security and compliance for Australian organisations.
Many organisations have new obligations under the addition to the Privacy Act legislation. Organisations with an annual turnover exceeding three million dollars are now obligated to report breaches involving personal data to the Australian Information Commissioner (OIAC). The fines are serious as the NDB proscribes penalties of up to $360,000 for individuals and $1.8 million for organisations.
Professional ethics and the trust of customers is currently the subject of much discussion in the media. Trust rests on relationships, which are always important to your customer base. The fallout from a data breach can result in a massive loss of business, but a culture which has embedded cyber security has a competitive advantage.
The NDB Scheme is an opportunity to implement improved governance and proactively manage the risk of a breach. We’d suggest treating your customer data the way you would any other precious business asset. The following steps can be used as a checklist:
Your 5 point checklist:
◻ Know your data
What personal data does your business hold? Where can it be found? How long do you keep it? How does it get processed, stored and destroyed? Who has access to it? Is it being shared externally or is it accessible via your employee’s personal devices? Know the ins and outs of all personal and sensitive data your business collects. And always be considering – where are the blind spots?
◻ Know your people
People make mistakes. Insiders, or your own vendors are often the weakest link when it comes to data breaches. How can you make sure the appropriate level of access is given to the right people? Are your people (employees, internal or external contractors) trained to avoid, contain and manage security risk?
◻ Embed ICT security into your organisational culture
As I’ve said previously, ICT security and the relevant policies and procedures should be treated with the same gravitas as occupational health and safety and other HR policies. Documentation is the backbone of a robust ICT strategy. Senior leaders need to engage with ICT from the top down to support privacy and any organisational change required.
◻ Implement a Data Security Incident Response Plan
The OAIC will not just be investigating what the data breach was, but the way the response was managed. Do you have a response plan in place? Ensure you regularly test your Data Security Incident Response Plan, that contact list details are up to date, and your people are appropriately trained.
◻ Seek help by consulting experts
Those who are not prepared for the NDB risk serious fines, not to mention reputational damage and loss of business. If you don’t have the right skillset within your team, consult experts, so you’re prepared to deal with a breach.
If your response to the checklist is a “don’t know”, “it’s not up to date” or “we haven’t done the training or communications”, your organisation isn’t prepared.
To ensure you effectively manage the change to privacy compliance, reach out now for a confidential discussion. We can assist you in developing the relevant policies and procedures and provide training for your team.