Home / Business Continuity. Risk and Compliance. /
In the wake of the increasing regularity of high-profile attacks on Australian organisations, including Optus, Medibank, and Medicare, the Australian Federal Government spent much of 2023 engaged in a consultation process to identify necessary updates to the Privacy Act.
Because many attacks and breaches target personal data, the Australian Government focused the updates on its own data privacy enforcement powers, while increasing penalties on organisations with insufficient data protection frameworks in place.
Attorney-General Mark Dreyfus has said: “Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset.”
Penalties for companies that don’t protect themselves against serious or repeated breaches have already increased significantly – the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increased fines for companies that don’t protect themselves against serious or repeated breaches. Penalties are rising from $2.22 million to $50 million, 30% of the company’s turnover in the relevant period, or three times the value of any benefit obtained through the misuse of the information – whichever is greater.
The updated Privacy Act will now significantly increase the regulations around the collection, processing, and protection of personal information.
The reforms, which came into force in NSW in 2023, ask for an industry-wide change in attitude and culture around data privacy. Organisations operating in Australia are being asked to create a culture of privacy, in which customer data is treated as their own data.
This means putting stringent tools, systems, governance, and ongoing education in place to ensure the safety of personal data.
The need for these changes is predominantly being driven by the way organisations are operating in the new digital economy.
In the race to gain competitive advantages through automation and AI, as well as other productivity-enabling technologies, organisations are de-siloing data so it can flow more freely through the organisation.
This seamless interconnectivity creates a 360-degree view of all data. In relation to personal data in particular, it helps organisations to better understand their customers, so they can deliver targeted and personalised services to them.
This not only enables better customer experiences, it allows organisations to maintain their competitive edge.
Consequently, personal data is being collected from just about every customer interaction, creating a long and complex data trail on every customer. Once gathered, this data is then stored and backed-up to different locations.
On a daily basis, it’s used as a source of collaboration by different people in different teams, potentially in different locations all over the world. As this data flows around the organisation, the opportunities for data breach and compromise are numerous. And with all the data breaches we’ve seen in recent years, it’s clear that too many organisations have cyber security policies that are outdated and inadequate.
Data privacy is becoming very complex, so the likelihood of mid-market organisations wanting to, or being able to, manage data security with an internal team is decreasing. To help you assess whether you’re ready and able to manage the changing requirements, we’ve put a short guide together for you here.
The new Data Privacy Act requires organisations to look more closely at how personal information is collected, used, disclosed, and handled. For many organisations, data lineage isn’t sufficiently understood or managed, particularly in relation to data retention and deletion processes.
Therefore, many organisations aren’t sure what data is being kept generally, and what data’s being retained beyond its necessary retention period. This increases the risk of breach because archived data often doesn’t have the same security controls as active data.
Auditing the data landscape is the first step in understanding the status of different data. It reveals all the personal information your organisation collects, processes, stores, and shares. Plus, it enables your organisation to answer questions like: “If a customer requests to view all of their data kept by us, do we have a process in place to meet that request? More importantly, if a customer requests to delete all their data, can we confidently do that, including archived data?”
Furthermore, this process needs to reveal what policies, procedures, and other organisational measures are currently in place to ensure its safety and efficacy.
Many mid-market organisations are choosing to outsource these mapping and auditing exercises due to the complexities involved. But if you do have the capabilities in house, ensure the outcome you achieve includes personal sensitive data, as well as data required by your SaaS solutions, which may hold data overseas. Depending on where the data is held, organisations may find themselves violating international law or compromising data sovereignty.
Once you understand your data landscape, you can review and update your organisation’s privacy policies and notices to reflect the latest data privacy requirements. Ensure that your policies are written in clear and accessible language, outlining how personal data is collected, used, shared, and stored.
Your employees will also need ongoing education, support, measurement, and notification on their performance around data. This will ensure violations, bad practices, or high-risk behaviour can be quickly identified and rectified.
There will be other legal compliance issues that you’ll need to be across. For example, if your organisation relies on consent as a legal basis for processing personal data, ensure that consent is obtained in a clear and explicit manner.
Furthermore, data privacy should not just be a centralised practice, there should be distributed responsibilities owned by employees, teams, business units, suppliers, partners, and vendors. Having a Data Protection Officer in place will ensure these regulatory and compliance issues are appropriately managed and coordinated.
We also strongly recommend reviewing your cyber insurance policy to ensure you’re covered in the event of data breach.
Designed to assist organisations to overcome the disruption and expense of an attack, cyber insurance policies have become a key component of most cyber security strategies. They’re designed to reduce risk by assisting with the cost of recovery from an attack, including expenses incurred by your business and third parties, such as partners or suppliers. This helps organisations get back on their feet and resume normal operations as quickly as possible.
Before opting to purchase a cyber-insurance policy, you’ll need to take time to carefully assess your current level of cyber risk. Because this involves the thorough assessment of core IT systems, applications, stored data, and business process, it’s logical to do this as part of your Cyber Security Assessment.
In our recent blog ‘10-point plan for minimising cyber risk and insurance premiums’, we provide a checklist of factors you should be reviewing to ensure the effectiveness of your cyber approach.
Tecala’s Audit, Procedure and Risk Services are delivered by our Audit and Compliance teams. This team is part of our Consultancy and Advisory Service, whose main objective is to ensure you have robust protection measures in place, that meet the demands of your organisation in your industry.
We put you in control of your compliance obligations, so you’re always ready for new regulations. In a rapidly changing digital economy, authorities in Australia and abroad are increasing regulatory and compliance requirements. Data security and management now directly relate to privacy and government regulation.
At Tecala we have broad experience in dealing with information classification, retention, and access because we know that the constant change of data regulation and compliance is causing big challenges for all our clients.
The reassuring news is that Tecala’s Audit and Compliance teams have you covered with a comprehensive range of Audit, Procedure and Risk Services. We’ll keep you on top of this evolving landscape and help keep your organisation secure.
For further reading on Australia’s Data Security Landscape, read our recent Infosec Report – The Importance of Staying Vigilant in Cybersecurity: Reporting on Threats and Risks.
Tecala’s Data Landscape and Maturity Assessment (DLMA) is the first step in ensuring effective use of your data. In a three-step approach we assess the current state of your data, formulate the future state based on your goals, and provide a gap analysis between where you are now and where you need to go.
In this update, we provide an overview of the changes to the Essential Eight Maturity Model, and provide you with an effective roadmap to maintaining compliance.
Our Data Landscape Maturity Assessment is the key to unlocking the potential of your data, so it drives your automation and AI.
