Preventing and minimising data breaches is increasingly important with the growing costs of dealing with cyber attacks, including the time and costs of responding to data breaches, the business interruption costs, potential loss of reputation and ongoing impact to the bottom line as well as the time and costs involved in regulatory investigations and potential legal actions.
Organisations need to ensure they are prepared and comply with mandatory data breach notification requirements and relevant privacy regulatory requirements, including Australia’s Notifiable Date Breaches (NDB) Scheme, effective from 22 February 2018. The NDB Scheme requires organisations to promptly notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and the Australian Information Commissioner. Please read more about the NBD Scheme here: Australia’s new Notifiable Data Breaches Scheme: Is your Breach Response Plan up to date?
The EU’s General Data Protection Regulation (GDPR) enforced from 25 May 2018, imposes significant change to privacy laws in Europe and organisations that fail to comply face heavy fines of up to 4% of annual global turnover or up t0 €20 million, whichever is the greater. The GDPR applies to businesses operating in the EU as well as businesses outside the EU who offer goods or services or monitor the behaviour of individuals in the EU. Please read more about the GDPR and its implication on Australian businesses here: GDPR: Change to European privacy laws and its impact on Australian businesses.
Sibenco Legal & Advisory provides your organisation with:
- Solutions to embed privacy-by-design into new processes, products and services to reduce future privacy compliance costs.
- Privacy and data impact assessments – PIAs/DIAs.
- Data Breach Response Plans.
- Effective response to data breach incidents, including complying with prompt notification requirements to regulators, customers and clients.
Privacy Frameworks
To ensure your organisation’s legal and regulatory privacy obligations are met and privacy breaches are minimised, Sibenco will review and/or develop a privacy framework for your organisation.
Sibenco will create a holistic privacy framework tailored to the unique needs of your organisation. We embed privacy in your organisation by:
- Developing an overall privacy framework;
- Developing processes for ‘privacy by design’ to be included at the start of new projects and processes, or for new products and services;
- Developing or updating privacy policies and procedures to comply with legal obligations and best practices.
Privacy Impact Assessments
Privacy impact assessments (PIAs) are an important tool for assessing privacy risks and developing mitigation strategies. Sibenco provides PIA services and will work with your project team to assess privacy risks and develop mitigation strategies to minimise the impact a project may have on the privacy of individuals.
Data Impact Assessments
A data impact assessment (DIA), which includes a PIA, provides a framework to manage data analytics projects including consideration of source data, data preparation, legal and other obligations, accountability, assessment of the impact of a project, and assessment of ethical and other interest factors. Sibenco will work closely with your project team to develop or review a Data Impact Assessment framework tailored to meet the strategic objectives of your organisation and aligned with your organisational values and other interest factors.
Please read more about this here: Big Data & Privacy: does your organisation need an ethical based approach?
The below pyramid illustrates how information extracted from data analytics can assist an organisation’s strategic goals:
Ethical Frameworks for Data Analytics
Where data analytics initiatives involve the processing of personal information, an ethical based approach as part of your data impact assessment enables your organisation to build trust and transparency with your customers or users.
Sibenco assists by:
– Evaluating data analytics initiatives and preparing Data Impact Assessments;
– In respect of an ethical based approach tailored to suit the needs and requirements of your organisation:
- Developing an Ethical Value Statement or Policy;
- Providing an ethical based assessment for the Framework and/or checklists for use in data initiatives; and
- Advising in relation to the establishment of an Ethics Committee.
Data Breach Preparation
Having measures in place to quickly address a data breach is key to containing risks. Sibenco will assist your organisation by:
- Preparing a Data Breach Response Plan that complies with regulatory requirements, including Australia’s Notifiable Date Breaches Scheme and the EU GDPR.
- Training a cross functional team, including, for example, IT, communications, privacy and legal personnel, on how to respond to a data breach.
Data Breach Response Plan
Sibenco will guide your organisation in complying with regulatory notification requirements as part of your Data Breach Response Plan. Our services include:
- Ensuring compliance with data breach notification laws and reporting obligations to authorities;
- Assisting in overseeing third parties or processes for notification to customers, students, patients, etc., in a timely manner.
Post Data Breach & Remediation
- Your organisation will receive Sibenco’s expertise in identifying gaps in policies and processes and developing a remediation plan.
Publications:
Further resources:
Further resources:
The Office of the Australian Information Commission (OAIC) has resources available on its website including:
- OAIC Notifiable Data Breaches webpage including the online OAIC Notifiable Data Breach statement — Form
- OAIC Data breach response plan
- OAIC Data breach notification – A guide to handling personal information security breaches
OAIC’s guidance for Australian businesses on the GDRP – OAIC Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation
EU GDPR – www.eugdpr.org
EU Commission – Article 29 Working Party
EU Commission – Data Transfers outside the EU
UK ICO website GDPR Guidance https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/. The UK ICO has published other resources:
- Preparing for the GDPR 12 steps to take now –https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- GDPR checklists – one for data controllers, and another for data processors – https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
- Lawful processing – Consent – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/