Navigating the year of new security compliance
Around the world, legislative bodies are examining the relationship between cyber security and privacy more closely, as high-profile data breaches drive greater public awareness of how personal data is being stored and protected.
Coincidentally, two major pieces of legislation have come into effect within the last six months; the Commonwealth Government’s amendments to the Privacy Act 1988, as well as the European Union’s expansive General Data Protection Regulation (GDPR).
Let’s take a closer look at what these laws mean for Australian businesses.
Notifiable Data Breaches (NDB) Scheme
In Australia, the Federal Government created new data breach notification laws which, from late February 2018, require businesses with more than $3 million annual turnover to disclose data breaches involving personal data that might result in “serious harm” to an individual.
In the Telstra Security Report 2018, 87 per cent of Australian businesses responded they were already “actively adhering” to the Privacy Act 1998 last year. This Notifiable Data Breach amendment to the act now requires organisations to have an incident detection and reporting workflow in place, as well as architecture to notify customers and the Privacy Commissioner within 30 days of becoming aware of a breach.
In the period 1 April to June 30 2018, there were 242 notifications received by the Office of the Australian Information Commissioner (OAIC) under the NDB scheme.
General Data Protection Regulation (GDPR)
Compared to the Privacy Act, the GDPR has a much broader remit. The GDPR relates to the data of EU citizens, and requires organisations to notify customers within 72 hours of a breach. In addition to breach reporting, businesses have to allocate new roles for data protection, provide justification for the customer data they hold and create workflows for deleting a single customer’s data as part of “the right to be forgotten”.
With potential fines of up to €20 million or 4% of annual turnover, the GDPR is requiring Australian businesses to rethink not only their own data security and procedures, but that of their partner organisations and vendors too.
Awareness of this regulation has increased substantially over the last year, with a global survey conducted by Citrix finding that around 67% were aware of the GDPR in 2017, and the Telstra Security Report 2018 finding that 84% of organisations were actively looking at the regulation in anticipation of its May 2018 date of effect.
Navigating a complex environment
For Australian organisations who also hold EU citizen data, building workflow processes which accommodate a 72 hour turnaround will help you to meet both NDB and GDPR requirements at once.
Of course, strict compliance requirements are nothing new for security professionals, especially for those involved in processing payments through the PCI Data Security Standard or navigating national data sovereignty laws.
The principle challenge for organisations is to find ways to effectively approach multiple compliance regimes at once and minimise their disruption to the business. While each piece of legislation has its own unique requirements, understanding your existing data security posture is a prerequisite to approaching most compliance regimes.
As businesses collect data in more ways than ever before, conducting a proper security audit can be an immense, albeit important task.
At Telstra, we’ve developed the “Five Knows of Cyber Security” to provide a baseline for understanding your security posture.
The five knows are:
- Know the value of your data.
- Know who has access to your data.
- Know where your data is.
- Know who is protecting your data.
- Know how well your data is protected.
However, it can be difficult to effectively establish the value of data and how well it’s protected when multiple stakeholders from different business units are involved. Marketing, legal, HR and IT often have competing priorities when it comes to data visibility, value and protection, which can be difficult to synergise into a holistic strategy.
In addition to establishing compliance, identifying opportunities to combine overlapping compliance reporting can help keep overheads down.