The last year has seen huge changes in the privacy and data protection landscape, some that were foreseeable and some that may have caught businesses and individuals by surprise.
The introduction of the Notifiable Data Breach scheme last February caused many companies to review their preparedness for a breach, and was also a huge workload for the regulator, the Office of the Australian Information Commissioner (OAIC).
The quarterly reports issued by the OAIC on notified breaches make instructive reading and tell a story of two streams – cyber security risk and human error.
This suggests companies need as much investment in technology as they do in their people, which is an ongoing issue as people move, change and need constant training.
The advent of the European Union General Data Protection Regulation (GDPR) has seen many organisations swamped with documentation from contractual counterparties seeking to ensure their supply chain is GDPR compliant. This has caused headaches for many Australian businesses whose Privacy Act compliance was light in any event.
A recent Deloitte survey indicated worldwide only three per cent of surveyed businesses thought the GDPR did not apply to them, that means 97 per cent coverage, which may have been an unexpected territorial reach.
The EU has signalled its intent to enforce the GDPR both within and beyond the EU and the consequence is Australian businesses cannot be complacent.
EU data supervisory authorities are also being overwhelmed with complaints from citizens and businesses are reporting a huge increase in requests for personal information from individuals.
All of this means privacy related issues need to take a seat at the executive team table and be actively managed and also be seen to be treated seriously. How the privacy and data protection function is staffed and who is responsible is another question many businesses large and small are grappling with.
Tie this in with cyber strategies, information security, social media and the human element and it is a significant challenge.
We will soon launch our series of national privacy roundtable events with a Sydney session on 21 March that will seek to explore some of these challenges and share peer to peer experience in a Chatham House rules environment.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.