As the 22 February deadline looms for the new Notifiable Data Breaches (NDB) amendment comes into force, RSA’s director of governance, risk and compliance, Sam O’Brien, tells StrategicRISK why risk managers worldwide need to take notice of this game-changing regulation
Every week it seems there’s a new corporate security breach uncovered, and it seems like companies prefer to conceal the security breach and pay the ransom quickly – given that it’s often cheaper than the financial and reputational liabilities that come with disclosing a security issue.
Some companies operating in the Asia Pacific region may soon have to own-up if their customer data has been compromised, or face stiff penalties.
In Australia, the Notifiable Data Breaches (NDB) amendment to the Privacy Act will force companies operating locally to report data breaches to the Office of the Australian Information Commissioner, as well as make the data loss known to the public. This legislation comes into effect on 22 February 2018.
The European Union’s General Data Production Regulation (GDPR), effective in May 2018, is another game-changing regulation. The GDPR will be the first global data protection law, as it applies to the organisations that control or process personal data of EU residents anywhere in the world. That means Asia Pacific businesses that process EU resident’s personal data will fall under the scope of the GDPR.
Both the Notifiable Data Breaches amendment and the GDPR lay out hefty penalties for non-compliance – organisations in breach of the GDPR could be liable for fines up to four percent of annual global turnover or 20 million Euros (whichever is higher). Perhaps more importantly, there is the potential for reputational impact, which can often be harder to quantify.
Privacy and risk practitioners need to be laser-focused on ensuring that not only is personal data protected, but by early 2018 companies should ensure adequate data governance and security practices are in place to ensure they have full knowledge of where customer and employee personal data is kept, and how it is safeguarded.
Having an overarching view of a customer’s personal data isn’t easy. Organisations will have customer’s personal data stored in various places and in various ways. These data siloes make personal data harder to protect, as well as making it harder to know exactly what has been lost in the event of a personal data breach.
So what can be done to implement an effective data governance practice?
With personal data likely being used by many parts of your organisation, the first step towards compliance is conducting a study of where that personal data is held, who holds it and who is responsible for it.
Teams can ask themselves a series of questions, beginning with what sort of personal data is collected, why it is being collected, how it flows through the organisation, where it is stored and retained, and what systems have access to it.
Asking these sorts of questions creates a type of business context that will assist in addressing compliance challenges associated with laws such as the Notifiable Data Breaches scheme. Organisations should also consider what other roles this business context can play. More on that later.
Privacy and risk professionals may not need to completely re-invent the wheel when it comes to answering some of these questions. Some of the answers may already exist.
For example, an organisation with a robust business continuity program will most likely have also conducted a business impact analysis (BIA) – an activity that may have already identified relevant information flows and repositories that can provide insight for your privacy initiatives. While it’s unlikely that this will paint a complete picture of how and where data is being stored, it can be a valuable accelerator towards addressing your current compliance challenges.
With you now on your way to building a solid base of business context, it’s important to take a moment to consider other purposes within your organisation that it may serve – such as helping cyber teams prioritise alerts and incidents that impact your most critical assets. In short, the efforts designed to ensure a business is compliant with the NDB are also useful in other contexts.
In essence, collaboration is key, with good business context gathering activities in one area potentially paying off in other areas yet to be considered. When taking on new privacy initiatives that demand good business context, don’t forget to stop and think about where some of this may already exist. There is a great opportunity to not only accelerate your journey towards compliance, but to build relationships and help out other parts of your business in the process.
Protecting the personal data that your organisation uses is not just the right thing to do for compliance – it’s the right thing to do. Full stop.
With the introduction of new regulations, we can hopefully start waving goodbye to the bad old days of data breach hiding. Your efforts toward compliance will result in better data protection practices, not only benefiting your business, but also your customers by assuring them that their personal data is in good hands.