Business Continuity Management (BCM): Privacy by Design

Bridging the gap between this years Privacy Awareness Week “Trust and Transparency” and Business Continuity Awareness Week “Building Resilience in the Hybrid World” (next week) this blog considers how the two disciplines overlap.

To ensure ongoing compliance to the Privacy Act (the Act) whilst in the throes of a business disruptive event, your business continuity strategies must consider the protection of personal data ‘by design’ so that the organisation can maintain confidentiality, integrity, and availability of such data and demonstrate ‘appropriate’ security controls have been applied. 

Over and above the Notifiable Data Breach event management and communications, Continuity Strategies should consider how to:

  • Prevent loss or damage to personal data
  • Maintain true and accurate records during and after an event
  • Ensure access continues for those who ‘need to know’
  • Comply with the principles of the Act where manual processing is a workaround strategy for lost / unavailable technology: How do you prevent loss of confidentiality/integrity/availability of manual records during the event?
  • Maintain access to personal data
  • Evaluate the impact on individuals if products / services are not available when required
  • Consider how a business disruptive event may impact individuals
  • Keep individuals informed as to when services can resume
  • Manage a data breach during a business disruptive event: What are the constraints / issues / concerns in meeting the reporting requirements?

Additional processes to consider may include:

  • How you manage the Employee Call Tree
  • Physical relocation (of people and assets) including how you manage increased sharing of data across various platforms, or even removing assets from one office location to another / WFH
  • Maintaining data integrity and confidentiality within your workarounds e.g., when moving to manual processing
  • Resumption and recovery of services post an event i.e., do you retain the manual forms, if so, how? where? for how long? If not, how do you dispose of them?

ISD Cyber can help you build and maintain appropriate business continuity and privacy strategies, ensuring that you do not compromise the trust of your staff and clients during your most vulnerable times.