Recent high profile data breaches and the prospect of mandatory data breach notification have put privacy on the agenda in Australian businesses. More than ever, now is the time to ensure your business has established a good culture and awareness around privacy compliance.
The government last month released an exposure draft of its mandatory data notification laws, which increases the stakes for businesses that suffer a data breach causing a 'real risk of serious harm'. Whilst notification was previously recommended in such cases, businesses will no longer have a choice under these draft laws.
So here are five things you can do to minimise the risk of a data breach and avoid exposing the company to non-compliance with privacy laws.
- Establish a culture of privacy compliance
Privacy compliance should not be the sole responsibility of a business's legal or compliance function. These departments, along with external legal advisors, play an important role in interpreting and advising on privacy rules in relation to the business, but privacy compliance is the responsibility of everyone in the business that handles personal information.
The marketing team, for example, should understand the data it is collecting and the notifications required. The IT function will be able to ensure that a website is tested following an update - of which the failure to do so has led to several reported data breaches. The recruitment team will know what information they need from candidates. The customer service team deals with personal information on a frequent basis. Training and engagement should be undertaken with all these functions and any others that handle personal information.
When you start to notice employees from across the business becoming 'privacy aware' and asking questions regarding what can and cannot be done, you know a business is building a good culture of privacy compliance. In this environment, data breaches are far less likely to occur. And if there is a breach, what is 'exposed' is less likely to be non-compliant with privacy laws.
- Audit stock of personal information and develop informed policies and processes
- Review contracts
During the audit process above, a business will probably find it receives personal information from third parties and that third parties store or handle personal information on the business's behalf. If possible, it is therefore important to ensure that these third parties have contractual obligations to comply with Australian privacy laws. This is especially the case where the third party is overseas and the Australian laws do not otherwise apply to it. Clauses can be drafted around specific measures the third party is required to take and liability and indemnity provisions inserted to reflect that privacy breaches can cost a business millions.
- Encrypt data and probe to continuously improve your IT security measures
However, for a larger business it would be prudent to consider engaging external advisors or tasking similarly skilled staff to (for example) conduct network penetration testing to identify potential weaknesses. Even smaller businesses would be expected to implement reasonably available security measures, such as password protection of devices, firewalls, and malware detection and prevention software.
- Develop a data breach response plan
The damage associated with a data breach can be minimised by putting plans in place that enable you to act swiftly and avoid major trust issues emerging amongst your customer base. In the event of a breach, it is not just the fact of a breach itself that will bring the wrath of the regulators and other stakeholders. A lot can come down to how a business responds. It will often need to respond very quickly, especially to contain the breach and to determine who, if any, of those affected will be notified and how. If these issues have been considered in calmer times, these steps can undoubtedly be undertaken more swiftly and effectively in the unfortunate event of a data breach.
The Privacy Commissioner has recently released a draft guide to developing a data breach response plan, a clear indication that the regulator believes developing such a document is best practice. Professional advisers can also be engaged to assist a business to develop a data response plan and any other policies or processes covering privacy compliance.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.