The frequency, scale, sophistication and severity of cybersecurity incidents has increased, with ransomware growing by a massive 2500% in 2017 according to a Carbon Black report.
No - that’s not a typo, that’s two and a half thousand percent, a mind-boggling increase.
Security breaches last year alone have shaken many Australian businesses, and we’ve witnessed it first hand, being called on to rescue several clients from ransomware attacks.
Due to the impact, unintended exposure of personal identifiable information can have; data protection is increasingly part of regulatory compliance and organisational and individual responsibility.
Now governments here and abroad have taken action to legislate and incentivise businesses to put risk mitigation plans and notification plans in place. These are the Notifiable Data Breaches (NDB) Scheme (specific to Australia) and the General Data Protection Regulation (GDPR) relevant to any organisation with data transactions from or to European residents.
So what are these regulations and how does it impact your business? We break down some of the most important information that you need to understand now so you can get ready for them.
What are these regulations?
The Notifiable Data Breaches (NDB) scheme took effect last 22nd February 2018. In a nutshell, under this scheme, organisations that handle an individual’s personal data like health records, bank information or credit card information are mandated to notify the Office of the Australian Information Commissioner (OAIC) as well as individuals affected by a data breach.
The General Data Protection Regulation (GDPR) will officially take effect on 25th May 2018. It is expected to protect and empower all European Union (EU) citizens and reshape the way organisations across the region approach data privacy.
Both are intended to allow affected individuals to take necessary action to protect their personal information. Failure to comply will mean hefty fines for businesses covered by these regulations.
NDB
NDB affects organisations such as government agencies, credit reporting bodies, health service providers, TFN recipients as well as private and non-profit organisations with an annual turnover of $3 million or more.
NDB only applies to ‘eligible data breaches’ involving personal information of an affected individual that could result to serious harm. Eligible data breaches arise when there is 1) unauthorised access or disclosure of personal information or a loss of personal information that an individual holds; 2) it will likely result in serious harm to affected individuals; 3) the affected individuals cannot prevent the likely risk of serious harm with remedial action.
What this means for an organisation is, you will have to notify affected individuals in case of a data breach and should also provide recommended actions on what to do now that their personal information has been infiltrated.
Below is an example checklist* of a response plan:
Failing to disclose a breach has its consequences. If an organisation failed to report an eligible data breach, it could be considered an interference with an individual’s privacy. Serious or repetitive interferences with an individual’s privacy can result in civil penalties under the NDB scheme. The OAIC can seek civil penalties against organisations of up to AU$2.1 million, depending on the level of significance or likely harm to an individual.
For further information about NDB, you can watch this webcast here from OAIC.
GDPR
GDPR applies to organisations located within the EU and even those located outside if they provide goods or services or monitor the behaviour of EU data subjects. This means that regardless of the location of your company if you are processing or monitoring an EU resident’s personal data then you are affected by GDPR.
Types of privacy data that GDPR protects include basic identity information such as name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health and genetic, biometric, racial or ethnic data; political opinions and sexual orientation.
Some of the GDPR requirements that you need to comply with are:
- Requiring permission from subjects for data processing
- Undisclosing gathered data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Appointment of a data protection officer (DPO) to ensure GDPR compliance
An organisation can face steep penalties for security breaches equivalent to 4% of annual global turnover or up to €20 million, whichever is higher. You can find out more about GDPR in this FAQ.
Action items you need to do now
If you haven’t started complying with NDB and GDPR, you are not alone. Many organisations affected by these regulations are estimated not to be completely compliant by the time it gets enforced. So what does your organisation need to start complying with NDB and GDPR?
Here are a few action items to get you started.
- Understand these regulations.
Awareness is key to getting your internal decision-makers understand the impact of these laws on the business. While it may consume a lot of time and resources from the company initially, it will pay off to protect your business from future data breach incidences and save you money and your company’s reputation. - Assign and train your people.
Appoint a DPO and get your people upskilled on these laws. Educate your staff about the roles they play and the responsibilities they need to perform in line with your compliance efforts. - Take a risk assessment.
Take a risk assessment to estimate the impact of risks to your business. Ensure that the measures align with NDB and GDPR’S requirements, making certain that you have the insight and control over access permissions so you can minimise risks to sensitive data. - Create a data breach response plan.
Implement a response plan for when a data breach happens. This should give guidance to your internal team on the next steps to resolve it and provide recommended actions to affected individuals.
Do you need assistance to become compliant?
If you are one of the organisations who is struggling with complying with the requirements, Professional Advantage can help you with assessing your security risks and creating response plans. Contact us at 1800 126 499 or leave a comment below if you want to speak to any of our Security Advisers.
If you find this article useful and helpful, please share this with your friends or colleagues on social so they can also benefit from our guidance.