It’s Thursday 22 February. So what?

Today has been touted as a watershed date in Australia that will in some way touch virtually every Australian as the ‘Notifiable Data Breach’ (NDB) scheme locks in.

But so what?

Unlike the Y2K scare, there is no talk of planes falling from the sky or lifts plunging to basements all over the country.  Aside from being over ‘hump’ day and looking forward to the weekend, is Thursday really worth all the Hoo Hah?

Well in short, the answer is yes. Whether you are in business or just going about your day to day activities, you are leaving a sizeable data footprint. From your smart watch tracking your morning rush to the bus, your ‘tap’ in getting on board, internet browsing on the ride in or the swipe to pay for mandatory morning coffee – and you’re not even at work yet. And let’s not forget IoT.  Technology is ubiquitous and yet most people do not really take note of exactly how much personal data they create, access or distribute on a day to day basis.

In leaving this trail of information we entrust the businesses that collect, collate, analyse, retain and disseminate sensitive data to properly secure it, and when (not if) a breach occurs and personal information is accessed or taken, wouldn’t we want to be informed?

Make no mistake, Australia is not on the cutting edge when it comes to legislating mandatory disclosure of data breaches. We are, in fact, over a decade behind the leaders. That said, this Thursday marks a significant date for those entities that are captured by the legislation. The Office of the Australian Information Commissioner (OAIC) and a plethora of advisory and legal organisations have been talking about the potential impact for over a year. The finish line is in sight – and yet many organisations are still not ready.

Cyber security remains front of mind as a critical concern for Australian business leaders and compliance with the NDB scheme should be a key component. The OAIC website outlines key processes around:

  • governance and compliance;
  • identification;
  • containment;
  • assessment (and remediation);
  • notification; and
  • review

Beyond these key points, there are some additional considerations:

  • Is your organisation caught by the legislative changes?
  • What is a data breach?
  • At what point is the breach ‘suspected’ versus ‘known’?
  • How do you decide whether the breach is “likely to result in serious harm”?
  • Exactly what is “serious harm”?
  • What processes are in place to address the required elements of compliance?

In order to be compliant, and thereby avoid regulatory action when (again, not if) things go wrong, compliance with the NDB scheme requires you to understand exactly how your organisation interacts, collects, analyses and stores personal information. And what about disposal – commonly referred to as the ‘right to be forgotten’? Are you really ready?

In assisting organisations in preparing for the changes, we are constantly finding that entities think they have control over their data, but in fact it is rarely the case.

It is fair to assume that after 22 February we will see more breaches in the news and at some point, regulatory action taken as a result. Even without such action, the act of disclosure to affected individuals in a social media riddled environment is akin to accepting that the incident will become public knowledge. This then leaves the business with potentially significant legal and reputational issues to deal with in a very public arena.

When you start to think about all of this, you can see why Thursday is such a big deal – there is a lot to do if you haven’t yet started down the path. There won’t be an issue until you get hit and when that happens, it is too late.

So if you have yet to take the steps or have not progressed very far, it is time to take action. At this point in the game, unless you already have a detailed understanding of the changes and can accurately map your organisation’s data profile, its time to seek help.

And then there’s the European Union General Data Protection Regulation (GDPR) on Friday the 25th May…at least it’s a step closer to the weekend. Watch this space.


Add a comment