The countdown is on for the 22 February deadline for the Australia’s new Notifiable Data Breaches (NDB) scheme and firms are being warned they must comply or face huge penalties

Large numbers of Australian organisations of all sizes and sectors don’t know where to start when it comes to Australia’s new Notifiable Data Breaches (NDB) scheme and, as a result, have not yet taken steps to ensure they are ready to meet requirements.

Data security firm Covata’s chief commercial officer, Derek Brown, believes that organisations putting off NDB preparations need to kick-start their journeys now, or risk facing bigger headaches down the track.

“This is not just an issue for small businesses. There are organisations of all sizes – small, big and everything in between, and across multiple industries, that are ill-prepared for the stricter requirements of the new NDB scheme.

“As we enter this new regime, you can expect to see the regulators taking a stern view of organisations that experience a data breach, but cannot demonstrate appropriate data protection policies and procedures, or that they have taken reasonable efforts to secure sensitive data. In the last few days alone, two more major breaches have hit the headlines, both of which could and should have been avoided.

“Organisations will likely be viewed far more favourably if they have proactively begun the process ahead of the deadline, rather than being forced to do so, either as a direct result of a data breach or the regulator’s directive,” he said.

22 days and counting

The new rules, applicable from 22 February 2018, affect most Australian organisations and agencies with annual turnovers of more than $3 million, that are holding personally identifiable information (PII). From that date, all eligible data breaches must be reported to the Office of the Australian Information Commissioner and to all affected individuals.

It is important that organisations understand their obligations, as failure to comply could result in penalties of up to $1.8 million for interference with the privacy of those individuals affected. Other negative consequences might include activities to investigate and remediate a data breach, legal advice and action, brand reputation damage, loss of consumer confidence and loss of business opportunities and revenue.

Brown has observed a common thread to his conversations about NDB over the past six months.

“Some blue-chip enterprises, particularly those in existing highly regulated industries, are well-advanced in this space; however, most organisations, agencies and government departments are not, and are typically unsure of where to start the journey.

“They know they have sensitive data and they have a desire to protect it. But, before they can get to this point, they need to discover it. And that’s where they’re getting stuck,” he said.

Where for art thou data?

For most organisations, data will exist in multiple locations. For example, it will be paper-based within physical storage facilities or legacy digitally-stored data, as well as all the data stored within various and numerous local and Cloud storage locations.

Getting a handle on where and how data is stored allows organisations to understand what data they accumulate, generate and collect; what proportion is sensitive; and its value to their organisation and to someone who might misuse it.

Brown acknowledges these new requirements can be daunting and tackling them may feel like unsurmountable tasks. “I encourage organisations to look at data discovery and classification solutions, which locate data but also classify what is found, so you know what is sensitive and what is not.

“To make this a manageable process, organisations can then work in a phased manner, addressing data in prioritised phases, deleting data that no longer needs to be retained and protecting any sensitive data as they proceed.

“You have to start somewhere and I strongly recommend a sensitive data discovery phase as the place to begin,” he said.