How the upcoming Mandatory Data Breach Notification scheme will affect your business 

In the last three years over 6 billion personal records have been lost or stolen worldwide. With alarming frequency, large companies worldwide are experiencing the mass loss of data as a result of data breaches.

Recently we heard the revelation that ride-sharing giant Uber had fallen victim to a malicious attack, resulting in the exposure of the personal information of 57 million passengers and 600,000 drivers.

Not only has Uber incurred a substantial cost to cover-up – ahem – recover from the breach, but their public relations department is now working overtime to salvage the business’ reputation.

Unfortunately, in today’s digital environment, it is inevitable that a records data breach will occur.

The Office of the Australian Information Commissioner (OIAC) has established a Notifiable Data Breach (NDB) scheme in Australia to strengthen the protections afforded to personal information. Coming in to force on 22 February 2018, the scheme will require Australian businesses to review their privacy practices and systems, and put plans in place to respond to data breaches when required.

So how will the scheme impact your business? And what are the important things you need to know? Here GWI Consulting Director Dr Vanessa Douglas-Savage takes you through the positive and not so positive aspects of the incoming scheme, and provides a few tips for those preparing to meet the new requirements.

On a positive note, there’s a number of highlights:

  • For time poor individuals, the legislation is short, easy to read and digest. The requirements are relatively clear.
  • The OIAC has done a really good job at preparing resources and advice in advance, turning policy into actionable guidelines. A lot of support is also provided, and a web form will be available for notification.
  • Thresholds have been set at an appropriate and reasonable level; it’s important to note that not every breach requires notification. The scheme only requires businesses to notify an individual if a breach is likely to result in serious harm. To familiarise yourself with eligibility criteria, visit the criteria on the OAIC’s website.

On the less positive side:

  • We are still lacking consistency across Australia in regards to data breach notification, making it difficult for companies operating across different jurisdictions.
  • The scheme is dependent on a ‘reasonable person test’. Today’s consumers are widely varied in their level of comfort in sharing personal information, likes and needs with businesses, and this is changing rapidly. A reasonable person may not necessarily be an average person. Determining the actions of a reasonable person is difficult for businesses to navigate.
  • The definition of ‘serious harm’ is also ambiguous, and relies on a non-exhaustive list of relevant matters.

What you need to be doing

There are three key things a business needs to do to prepare for the implementation of Mandatory Data Breach Notification on 22 February 2018:

  1. Understand where, why and how you collect personal information.
  2. Know where you store and how you manage personal information.
  3. Have a plan to respond to privacy breaches. A number of organisations have saved themselves from significant reputational damage with transparent, timely communication.

Being able to maintain the privacy of stored records including personal information is a critical enabler for a business to be able to use data confidently and efficiently. The new scheme provides a timely reminder to conduct regular, general hygiene checks on your information management practices. Now is the time to get your house in order.

GWI Consulting Director Vanessa Douglas-Savage

Dr Vanessa Douglas-Savage

GWI can help you put together your Mandatory Data Breach Notification plan and protect your business into the future. To learn more about our Governance and Security service offerings click here or contact us on 1300 364 430 to discuss your needs.