Australia’s mandatory data breach notification scheme starts on 22 February 2018. If your organisation is one of the many affected by the changes, here are key steps to ensure your organisation is ready for the changes.
Step 1: Who is impacted?
Do you have a clear understanding of who is impacted and the requirements of the scheme? Does your organisation have a clear understanding of how and why personal data is collected and stored across your organisation? Can you answer the following questions?
• Is it necessary to collect and store the information?
• Where is information stored?
• Are privacy protections built into your handling of the information?
• What are the risks associated with holding the information?
• Are there steps in place to destroy data when it's no longer needed?
Step 2: Encourage collaboration
Technology is firmly embedded in the way we work and do business, filtering through all levels and administrative sections of an organisation. Consequently, dealing with technology and data – and the risks these bring – requires an organisation-wide approach. Bringing IT, legal and other business units together ensures a deeper understanding of the issues, and a more considered approach.
Step 3: Risk and Assurance
Is the process for risk identification and assessment clear, with roles and responsibilities defined? Can you answer the following questions? What steps do you currently have in place to avoid data breaches? Do you have steps to ensure the physical security of computers and hard copy data? How does your organisation approach cybersecurity? You will also need to consider your extended value chain, which includes customers and suppliers.
Step 4: Prepare for the worst
Data breaches are an unfortunate reality in the digital age. In addition to knowing when you need to report a data breach under the new scheme, your organisation should have a comprehensive incident response plan in place. A quick and effective response to a data breach can minimise the damage done, protect your reputation and even help you avoid the notification requirements.
The Office of the Australian Information Commissioner suggests an incident response plan to include:
• the actions to be taken if a breach is suspected, discovered or reported by a staff member
• the members of your data breach response team
• the actions the response team is expected to take.
Step 5: Build a compliant and secure workplace culture
Once you have the plans, policies and response plans in place, getting your people on board is a crucial next step in making these things effective. Ongoing education and training programmes, targeted to all areas and levels of an organisation, about the changes and the organisations commitment to data security is a must.
Technology and data offer substantial business benefits but also carry inherent risks. Ensure you make the most of the benefits and minimise risk by taking a thorough approach to preparing for Australia's mandatory data breach reporting scheme.
Register for the SAI Global 'Navigating the Mandatory Data Breach Legislation minefield' webinar on the 14th February and learn more about preparing for these important changes.