It’s been an interesting start to 2018 for business owners, consultants, and marketing firms. Two separate pieces of legislation came into effect, changing the requirements for almost any Australian based firm. The European Union council enacted the General Data Protection Regulation (GDPR) and the Australian government enacted the Notifiable Data Breaches scheme (NDB), an amendment of the Privacy Act (1988).
So, what’s all the fuss about?
To summarise the two laws, both the European Union and Australian governments have responded to the never ending string of privacy breaches with extremely tough laws for businesses who store or interact with personal data.
To better understand how this affects your businesses and personally we need to explain both laws. Bear with me, there is a lot of information to go through!
What Exactly is a Data Breach?
A data breach is the disclosure of personal information to an unauthorised party, either within the organisation or a third party. Some examples of a real-world data breach include:
- Printed personal files being stolen/exposed to a third-party
- Loss of a USB drive with personal information
- Website or online service hack
- Leaving online data publicly exposed
- Emailing a spreadsheet with customer data to an unauthorised third party
- Computer virus or data exfiltration
- Accidentally leaving a filing cabinet full of classified documents when disposing of the cabinet (Australian Parliament!)
Detecting a Common Theme…
A common theme about many of the example data breach scenarios is technology. With technology being used in almost every business and a common way to interact with individuals it’s no wonder that many data breaches occur in the digital space.
General Data Protection Regulation (GDPR)
The GDPR legislation extends existing EU data protection law to any company in the world processing data or offering services to EU residents. Additionally it enforces strict penalties, with up to 4% of worldwide turnover for a serious breach. EU citizens are provided further rights and protections for their data and information. The key elements of the law are as follows:
- The law applies to any worldwide company if they process or interact with personal data of EU citizens. This also applies to online services that are available to EU citizens like websites and marketing materials.
- Personal information is extensive and includes: names, home addresses, telephone numbers, email addresses, bank details, social media information, medical information, and IP addresses.
- Note the storing of email addresses and IP addresses can include marketing subscriptions like newsletters, online stores, and marketing subscriptions
- GDPR acts as a single set of rules for all EU member-states.
- Companies are required to provide reasonable notice about data retention time & contact information for the company.
- Companies are required to design any systems with privacy and data protection in mind (i.e. .not sharing information to 3rd parties & security measures etc.)
- Most importantly, it is the responsibility and liability of the company to demonstrate compliance, even if a third party is processing data like a marketing platform.
- Users are required to provide consent for any data collection and processing activities.
Right to Access & Be Forgotten
A major part of the legislation is the idea of informed consent, the ability to access information about the type of data stored, and having data removed when requested.
Informed consent is an interesting topic, and well outside of the scope of this discussion, but requires an individual to understand and agree to any information collection.
Upon request a company must provide an individual with not only a summary of what information is collected, but also a copy of the data stored on the individual. This is from any and all personal information collected, potentially spanning several computer systems.
The right to be forgotten has been a controversial topic in the EU throughout the decade, with several high profile cases in the EU after enacting this legislation. An individual can request all personal information be removed for several reasons. Google has removed hundreds of thousands of search results after a landmark ruling several years ago.
Privacy By Design
Privacy by design has, as a concept, been around for years. In simple terms this requires privacy and data protection to be designed as part of the systems design, not as an add-on or after thought. GDPR calls for the minimisation of data collected (only capturing information required) and limiting access on identifiable information to minimise risk to individuals.
The GDPR has strict rules governing data breaches. A company is legally required to inform the supervisory authority of all data breaches within 72 hours unless they can demonstrate there is no risk to an individual’s rights or freedoms. The company is also required to inform all affected individuals.
The only exception to mandatory notification is if the company has “implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.”
Punitive Actions & Sanctions
The GDPR sets out strict punitive actions:
- Written warning for a first, non-intentional offence
- Enforced data protection audits and remedial actions
- A fine of up to 20 million euros or 4% of worldwide turnover
The EU is deadly serious about data protection and breaches, and can enforce this action upon companies who do not comply with regulations.
Notifiable Data Breach Scheme (NDB)
The Notifiable Data Breach scheme (NDB) is an amendment to the existing Privacy Act (1988), applicable to any organisation or agency storing personal data, much like the GDPR.
The NDB’s main objective is to provide individuals with clear information around data breaches and encourage organisations to better protect and manage personal information. The main elements of the NDB are:
- Applicable to governmental agencies, business and non-for-profit organisations with an aggregated turnover of more than $3 million per year, credit reporting agencies, medical firms etc.
- Not all data breaches require notification. Certain types of breaches are exempt from reporting, and any breach without serious risk of harm.
- An organisation suspecting or knowing of a data breach must undertake actions to assess the harm and risk of the breach
- The commissioner and individuals affected are required to be notified, including details of the breach, recommended actions the individuals should take, and any mitigation measures to be put in place.
- A fine of up to $2.1 million is applicable for data breaches
Differences Between The Laws
The GDPR laws clearly set forth requirements and provide very clear rules and actions for data breaches. The NDB on the other hand relies on the honour system, not clearly defining what a “serious risk” actually is, and allows for organisations to self-assess risk to individuals.
How Do We Prepare Our Businesses?
Preparing a business for these laws is an interesting question. Unfortunately, it’s like asking how long is a piece of string? Each business is unique in its risks and mitigation requirements but there are some general items to help prepare:
Conduct a Risk Assessment
Start with a thorough audit of what personal information your business has and where you store this information. Examples of this are:
- Marketing software (mail chimp, constant contact)
- Websites & Online Stores (woo commerce, WordPress)
- CRM software (ConnectWise, Salesforce)
- Email software (G Suite, Office 365)
- File Storage systems (Dropbox, network servers)
- Production line/sales funnel (warehouses, order information, processing systems)
- 3rd party services (marketing firms, production lines, suppliers, shipping & delivery partners)
- HR files
- Accounting software (QB/Xero/MYOB)
A useful place to start is with your business mentor and/or technology systems provider!
Once you have identified where personal information is stored, identify how this data is accessed and what protections you have in place. Some examples are listed below.
- Encryption & SSL certificates for web based services
- Strong password policy
- User training & security first mindset
- Security software and best practices
- IT security provider/solution
- Proactive testing and risk mitigation plans
- Least privilege security (don’t allow access to items not required)
Once you have identified current systems and potential risks talk to your technology team and risk specialists to reduce the risks to your organisation.
Data Breach Policy
Risk minimisation and mitigation are always the best option. In an ideal world there would never be a data breach. Sadly we don’t live in an ideal world and things can go wrong. What happens when a breach occurs? What policies do you have in place to protect both the individuals and your business?
Before people go to panic stations create a thorough policy and procedure for these risks to ensure compliance with both the GDPR and NDB. A solid plan should include at a minimum:
- Responsible parties and roles (who is in charge and manages the data breach?)
- Primary points of contact
- Impact minimisation (closing security hole, mitigating breached data)
- Identifying scope of breach
- Identifying affected parties
- Breach report generation and submissions
- Post-mitigation works (security improvements etc.)
- Continuous improvements and culture improvements
Continuous Improvement Culture
Much like the aviation industry is a learning culture and continually improves from failures and accidents an organisation ends to develop a continuous review and improvement culture. This isn’t to say develop overly burdensome processes and burden the business with tremendous overhead but to engage with all stakeholders to improve on a daily basis.
A risk lifecycle assists with the continual improvement culture in the business.
As a risk is identified it is added to a risk register. This register can be a simple excel document for smaller organisations or a specific risk management tool for larger companies.
Assess the risk by severity, likelihood, and risk vector. A lost USB might be very severe and quite likely, and be an internal risk (loss or theft) where a website breach may be catastrophic, plausible, and both an internal and external risk. A simple mathematical formula on the three criteria determines risk priority and what actions should take place.
Mitigate & Minimise
Once a risk is assesses an attempt to mitigate or minimise the risk should occur. This may be a policy disallowing USB drives for any corporate data or enhanced security measures and threat intelligence.
Once action has been taken the status and description of works taken is updated on the risk register. For critical risks additional documentation or recommendations may be made. Any items that are deemed critical should be made a high priority and attended to immediately. If a risk cannot be addressed this needs to escalated to the appropriate people.
A regular review process should be implemented for all risks and additional risks should be identified and added to the risk register as required.
How Can We Minimise Risk?
Unfortunately malicious actors and threats are appearing all the time, forever finding the next attack opportunity. From a pure technology basis some simple steps can be implemented.
- Work with a technology solutions provider to provide sustainable, secure systems
- Don’t treat security as a cost centre. Organisations tend to think of security as a cost, not a priority. In today’s society a single data breach can cost the same as implementing security for over a decade!
- Train staff on best practices and minimising risks to data breaches.
- Don’t transmit or store personal information on local computers, USB drives, send via email, or publicly accessible web services.
The changing view on privacy around the world is increasing pressure on organisations to protect data and not put individuals personal information at risk. High profile breaches like Equifax exposing over half the US population’s data through simple security failures highlight how little organisations focus on security and why everyone needs to work harder to protect individual privacy.
I have been working closely, both with my clients and inside our organisation, to prepare for the new legislation and ensure we fulfil our expectations of privacy and security. It is a complex solution, with each organisation having a unique set of circumstances and risks.
Connect with me via:
Phone: +61 4 0525 9005