Improve your Data Security and Privacy : Six Step Process
Australian Data Privacy Act Reforms - Aug 2024
The Australian Data Privacy reforms are about to come into affect at the end of August 2024. So there has never been a better time to get your organisations's data security and privacy controls in check than now!
If you missed what the reforms are about here is a quick recap:
- 𝗠𝗮𝗷𝗼𝗿 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘂𝗽𝗱𝗮𝘁𝗲𝘀: You need to ensure your data practices align with the new standards. Privacy Impact Assessments will now be required prior to undertaking activities with high privacy risks. e.g. Targeted advertising and sale of personal information.
- 𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗼𝘁𝗼𝗰𝗼𝗹𝘀: Your business will be required to meet baseline data security outcomes (confidentiality, integrity and availability), adopt data breach response plans and notify the OAIC within 72 hours of a data breach.
- 𝗗𝗮𝘁𝗮 𝗿𝗲𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲: Your business will be required to document minimum and maximum retention periods for different types of personal information held. You will need to demonstrate how you are managing this effectively.
- 𝗦𝗲𝘃𝗲𝗿𝗲 𝗽𝗲𝗻𝗮𝗹𝘁𝗶𝗲𝘀 𝗳𝗼𝗿 𝗻𝗼𝗻-𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲: Avoid hefty fines and reputational damage. Directors can be fined up to $2.5 million and businesses up to $50 million for non-compliance.
- 𝗦𝗺𝗮𝗹𝗹 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗘𝘅𝗲𝗺𝗽𝘁𝗶𝗼𝗻 𝘁𝗼 𝗯𝗲 𝘀𝗰𝗿𝗮𝗽𝗽𝗲𝗱: Currently the Act exempts any organisation with a turnover of less than $3 million dollars. This is likely to be removed in the latest reforms.
Below is a quick summary of the Australian Data Privacy Principles by category. APP11 will be important to address for all businesses and primarily involves putting strong cyber security controls in place to adequately protect that data.
So where do I start?
As a business if you collect, process and store sensitive data and in particular Personally Identifiable Information (PII) data then you should start with Privacy Impact Assessment (PIA) or a more thorough Data Security Risk Assessment (DSRA).
The first step in that undertaking is to identify where sensitive data resides across your organisation and then start looking for opportunities to reduce your data footprint and in turn reduce risk and liability to the business.
The below diagram provides a summary of what steps you need to take:
A core part of your process should look at how you correlate your risks -
When thinking about your risks and the identification of data across both cloud services and your on-premises environment, you will need to understand how you are going to map that data out with the right tools and processes in place. So that when you need to report on where that data is, who has access and its accuracy you can do so with confidence. Lastly when asked to respond to both consents or notifiable data breach requests you will then be ready and able to respond in an efficient and streamlined way.
Not sure what to do?
If you are still wondering where do I start then please get in touch for a free no obligation chat to discuss your specific needs. You can book in a call with me directly using the calendar link below.