With thanks to the Notifiable Data Breach Notification requirements in Australia (enforced as of 22nd of February 2018) and the EU’s General Data Protection Regulation (GDPR) as of 22nd of May 2018, we’ve seen more businesses try to inform and warn others of the implications for non-compliance. Although some people remain sceptical of the capability of the Office of the Australian Information Commissioner (OAIC) to enforce the requirements to notify, or even the reach of the GDPR. To me that’s not the point or the only focus area.
The Privacy Act (the Act), along with other global data protection regulations, are in place to introduce good practice in privacy management and attempt to hold businesses accountable for how they process personal information. However, I believe that all businesses should apply themselves to the principles regardless of whether they are obliged to abide by the regulations or not, and here’s why.
Step 1: Understand what information you process and why.
What’s the point of collecting information (personal or not) that is of no benefit to your company? It creates overhead, exposes you to regulations, it must remain relevant and up to date to be of use and you must control it in some way [Note: This relates to APP5 and APP6].
Step 2: Determine how long the information is useful for.
Don’t waste time and effort managing information that is no longer of any use or value to your organisation. Other than regulatory requirements for business records, determine how long you really need to retain the information. Don’t be a hoarder and keep it ‘just because’ it may be useful one day [APP10].
Step 3: Understand where your information is.
Every organisation should be clear as to where their information is stored so it can be of use (accessible) and support business objectives [APP10, APP11, APP12, APP13].
In addition, you can’t protect your data if you don’t know what you have of value and don’t know where it is!
Step 4: Understand where you may be vulnerable and what the consequences are.
By doing steps 1-3, you are better placed to understand where your information may be vulnerable.
For example: What mechanisms do you use to collect the information? Can it be intercepted? What are the consequences to your business if you don’t get that information or it is altered, or your competitor gets a copy? [APP11 – Appropriate Security through risk assessment].
Step 5: Implement strategies to prevent vulnerabilities from being exploited.
So now you know how you may be vulnerable, now you need to implement controls that enable you to anticipate, detect and prevent occurrence [APP11 – Appropriate Security through risk assessment].
Step 6: Have a plan in place to prepare for the worst-case scenario.
Build capability around responding and recovering from a business disruptive event. Understand how much time you have to recover before it’s too late. Implement strategies to get you back up and running.
Know who your stakeholders are and what information they need to keep them happy, what do they need to know, when do they want to know and how will you inform them? [Mandatory Breach Notification and APP11].
Step 7: Be open and honest about who you are.
What do you do, how does personal information play a part in your organisation, what products and services do you provide and how, how can stakeholders play their part in this, and what do you need from them to achieve this?
Then show off what you do well! Take time to outline how you value the information provided and how it’s protected for the benefit of all stakeholders. Prove your commitment to providing products and services that meet stakeholder expectations [APP1].
About the Author
Yvonne Sears MSc, LLM, CIPM, CISM, PCIP, MBCI
Yvonne’s experience quantifies her as having one of the most credible voices in Privacy anywhere in the world. The multi-discipline qualifications, certifications and experience held by Yvonne are overwhelmingly impressive and you would be hard pushed to find anyone as qualified across the globe.
Yvonne is a veteran of the Information Security, Risk/Governance & Business Continuity industries, and her passion is Privacy and Business Resilience, and has spent the last 22 years working in Government, Corporate and Private industry throughout the globe, the UK and Australia.
For recognition of her years of service, she has been awarded as an AISA Fellow and IAPP Fellow of Information Privacy.
Yvonne has been a major contributor on several trailblazing privacy projects some ongoing in Australia and in the UK. The outcomes from these projects have proven to be globally significant and the repercussions have paved the way on data sharing and privacy issues in sensitive and complex areas.