Secure your business

An effective approach to security's year of compliance

2018 has seen a greater focus on compliance than ever before, with new laws in effect that businesses need to align their security frameworks to.

Navigating the year of new security compliance

Around the world, legislative bodies are examining the relationship between cyber security and privacy more closely, as high-profile data breaches drive greater public awareness of how personal data is being stored and protected.

Coincidentally, two major pieces of legislation have come into effect within the last six months; the Commonwealth Government’s amendments to the Privacy Act 1988, as well as the European Union’s expansive General Data Protection Regulation (GDPR).

Let’s take a closer look at what these laws mean for Australian businesses.

Notifiable Data Breaches (NDB) Scheme

In Australia, the Federal Government created new data breach notification laws which, from late February 2018, require businesses with more than $3 million annual turnover to disclose data breaches involving personal data that might result in “serious harm” to an individual.

In the Telstra Security Report 2018, 87 per cent of Australian businesses responded they were already “actively adhering” to the Privacy Act 1998 last year. This Notifiable Data Breach amendment to the act now requires organisations to have an incident detection and reporting workflow in place, as well as architecture to notify customers and the Privacy Commissioner within 30 days of becoming aware of a breach.  

In the period 1 April to June 30 2018, there were 242 notifications received by the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. 

General Data Protection Regulation (GDPR)

Compared to the Privacy Act, the GDPR has a much broader remit. The GDPR relates to the data of EU citizens, and requires organisations to notify customers within 72 hours of a breach. In addition to breach reporting, businesses have to allocate new roles for data protection, provide justification for the customer data they hold and create workflows for deleting a single customer’s data as part of “the right to be forgotten”.

With potential fines of up to €20 million or 4% of annual turnover, the GDPR is requiring Australian businesses to rethink not only their own data security and procedures, but that of their partner organisations and vendors too.

Awareness of this regulation has increased substantially over the last year, with a global survey conducted by Citrix finding that around 67% were aware of the GDPR in 2017, and the Telstra Security Report 2018 finding that 84% of organisations were actively looking at the regulation in anticipation of its May 2018 date of effect. 

Navigating a complex environment

For Australian organisations who also hold EU citizen data, building workflow processes which accommodate a 72 hour turnaround will help you to meet both NDB and GDPR requirements at once.

Of course, strict compliance requirements are nothing new for security professionals, especially for those involved in processing payments through the PCI Data Security Standard or navigating national data sovereignty laws.

The principle challenge for organisations is to find ways to effectively approach multiple compliance regimes at once and minimise their disruption to the business. While each piece of legislation has its own unique requirements, understanding your existing data security posture is a prerequisite to approaching most compliance regimes.

As businesses collect data in more ways than ever before, conducting a proper security audit can be an immense, albeit important task.

At Telstra, we’ve developed the “Five Knows of Cyber Security” to provide a baseline for understanding your security posture. 

The five knows are:

  1. Know the value of your data.
  2. Know who has access to your data.
  3. Know where your data is.
  4. Know who is protecting your data. 
  5. Know how well your data is protected.

However, it can be difficult to effectively establish the value of data and how well it’s protected when multiple stakeholders from different business units are involved. Marketing, legal, HR and IT often have competing priorities when it comes to data visibility, value and protection, which can be difficult to synergise into a holistic strategy.

In addition to establishing compliance, identifying opportunities to combine overlapping compliance reporting can help keep overheads down. 

Understanding the security of your existing data is the first step to approaching compliance. Find out how we can help you understand your position with our Cyber Security Health Check.

Find out how

Related News

Choosing the right network partner
Reach global markets
Reach global markets
Choosing the right network partner

You need a trusted network partner to support your business’ growth. We look at the questions you need to find that partner. An effective digital strategy is a prerequisite for...

Think as one: Bringing your cloud and network together
Optimise your IT
Optimise your IT
Think as one: Bringing your cloud and network together

When your underpinning network and cloud foundation work as one, the promise of innovation can become a reality. Learn how to converge your network and cloud. Together, the ne...

A woman using virtual reality headset
Secure your business
Secure your business
The future of security: Threats, trends and investments

From rising budgets to machine learning, we look at the future trends changing the Australian security landscape. With the security landscape continuing to grow more complex, w...

Better together: Electronic and cyber security convergence
Secure your business
Secure your business
Better together: Electronic and cyber security convergence

Aligning your approach to physical security devices with your cyber security strategy is giving Australian organisations greater visibility over their security estate. Across A...