Secure your business

An effective approach to security's year of compliance

2018 has seen a greater focus on compliance than ever before, with new laws in effect that businesses need to align their security frameworks to.

Navigating the year of new security compliance

Around the world, legislative bodies are examining the relationship between cyber security and privacy more closely, as high-profile data breaches drive greater public awareness of how personal data is being stored and protected.

Coincidentally, two major pieces of legislation have come into effect within the last six months; the Commonwealth Government’s amendments to the Privacy Act 1988, as well as the European Union’s expansive General Data Protection Regulation (GDPR).

Let’s take a closer look at what these laws mean for Australian businesses.

Notifiable Data Breaches (NDB) Scheme

In Australia, the Federal Government created new data breach notification laws which, from late February 2018, require businesses with more than $3 million annual turnover to disclose data breaches involving personal data that might result in “serious harm” to an individual.

In the Telstra Security Report 2018, 87 per cent of Australian businesses responded they were already “actively adhering” to the Privacy Act 1998 last year. This Notifiable Data Breach amendment to the act now requires organisations to have an incident detection and reporting workflow in place, as well as architecture to notify customers and the Privacy Commissioner within 30 days of becoming aware of a breach.  

In the period 1 April to June 30 2018, there were 242 notifications received by the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. 

General Data Protection Regulation (GDPR)

Compared to the Privacy Act, the GDPR has a much broader remit. The GDPR relates to the data of EU citizens, and requires organisations to notify customers within 72 hours of a breach. In addition to breach reporting, businesses have to allocate new roles for data protection, provide justification for the customer data they hold and create workflows for deleting a single customer’s data as part of “the right to be forgotten”.

With potential fines of up to €20 million or 4% of annual turnover, the GDPR is requiring Australian businesses to rethink not only their own data security and procedures, but that of their partner organisations and vendors too.

Awareness of this regulation has increased substantially over the last year, with a global survey conducted by Citrix finding that around 67% were aware of the GDPR in 2017, and the Telstra Security Report 2018 finding that 84% of organisations were actively looking at the regulation in anticipation of its May 2018 date of effect. 

Navigating a complex environment

For Australian organisations who also hold EU citizen data, building workflow processes which accommodate a 72 hour turnaround will help you to meet both NDB and GDPR requirements at once.

Of course, strict compliance requirements are nothing new for security professionals, especially for those involved in processing payments through the PCI Data Security Standard or navigating national data sovereignty laws.

The principle challenge for organisations is to find ways to effectively approach multiple compliance regimes at once and minimise their disruption to the business. While each piece of legislation has its own unique requirements, understanding your existing data security posture is a prerequisite to approaching most compliance regimes.

As businesses collect data in more ways than ever before, conducting a proper security audit can be an immense, albeit important task.

At Telstra, we’ve developed the “Five Knows of Cyber Security” to provide a baseline for understanding your security posture. 

The five knows are:

  1. Know the value of your data.
  2. Know who has access to your data.
  3. Know where your data is.
  4. Know who is protecting your data. 
  5. Know how well your data is protected.

However, it can be difficult to effectively establish the value of data and how well it’s protected when multiple stakeholders from different business units are involved. Marketing, legal, HR and IT often have competing priorities when it comes to data visibility, value and protection, which can be difficult to synergise into a holistic strategy.

In addition to establishing compliance, identifying opportunities to combine overlapping compliance reporting can help keep overheads down. 

Understanding the security of your existing data is the first step to approaching compliance. Find out how we can help you understand your position with our Cyber Security Health Check.

Find out how

Related News

How to prepare your network for the world of tomorrow
Reach global markets
Reach global markets
How to prepare your network for the world of tomorrow

We investigate the technologies you need to prepare your global network for a disruptive decade. We’re on the cusp of a global data explosion. In its Essential Guide to Network...

2018's top technology trends
Create transformative innovation
Create transformative innovation
2018's top technology trends

From the introduction of 5G and GDPR to the mainstream embrace of multi-cloud environments, we take a look at 2018’s biggest technology trends. 1.     Building Australia’s firs...

Next-gen collaboration: How to work with AI
Liberate your workforce
Liberate your workforce
Next-gen collaboration: How to work with AI

We take a look at how Australian businesses are using AI as the next step on their digital transformation journeys to enhance collaboration and productivity. Australian busines...

VicRoads Camera
Optimise your IT
Optimise your IT
VicRoads digital transformation in the cloud and beyond

How VicRoads managed its cloud migration, improving data compliance and streamlining its digital operations. Last year, VicRoads embarked on an ambitious project to revolution...