About us
Locations
- Adelaide
  - Level 1
  - 333 King William Street
  - Adelaide SA 5000
  - GPO Box 949, Adelaide SA 5001
  - +61 8 8456 2433
  - +61 8 8456 2499
  - info.sa@gadens.com
  Location Map
- Brisbane
  - Level 11, ONE ONE ONE
  - 111 Eagle Street
  - Brisbane QLD 4000
  - GPO Box 129, Brisbane QLD 4001
  - +61 7 3231 1666
  - +61 7 3229 5850
  - info.qld@gadens.com
  Location Map
- Melbourne
  - Level 13, Collins Arch
  - 447 Collins Street
  - Melbourne VIC 3000
  - GPO Box 48, Melbourne VIC 3000
  - +61 3 9252 2555
  - +61 3 9252 2500
  - info.vic@gadens.com
  Location Map
- Perth
  - Lavan (Associate office)
  - Level 20, The Quadrant
  - 1 William Street
  - Perth WA 6000
  - PO Box F338, Perth WA 6000
  - +61 8 9288 6000
  - +61 8 9288 6001
  - info.wa@gadens.com
  Location Map
- Sydney
  - Level 20
  - 25 Martin Place
  - Sydney NSW 2000
  - PO Box H332, Australia Square NSW 1215
  - +61 2 9231 4996
  - +61 2 9163 3000
  - info.nsw@gadens.com
  Location Map
International
Careers
News
Contact us

Data protection and the human error curse: Part 2 | How CEOs and Directors can avoid the wrath of customers and the Privacy Commissioner

12 February 2021

Michael Owens, Partner, Brisbane

In Part 2 of our Data protection series, Kelly Marshall looks at six key things CEOs and Directors can do now to minimise data breach compliance and reputational risk.

Our previous article Data protection and the human error curse: Part 1 | Why CEOs and Directors need to be concerned looked at why it is so important for CEOs and Directors to be aware of the Data Breach laws.

Recap – which companies does it apply to again?

You’ll remember that the data breach compliance obligations apply to:

‘APP Entities’ (i.e. government agencies and organisations with an annual turnover of $3 million or more)
credit reporting bodies and providers;
companies that deal with personal or health information;
companies that hold Tax File Number information.

It is only a matter of time: Why data breach compliance is so important

Data breaches are now the norm. We have moved from an it’s not ‘if’ a data breach may occur, but ‘when’ environment to an it’s not ‘when’ a data breach will occur but ‘how often’.

Why is compliance important? Misuse of your customer’s personal data, including failing to adequately respond to a data breach, can cost your company its customers, business relationships and reputation, and incur significant legal and compliance costs.

A third of all data breaches reported to the OAIC for the January to June 2020 period occurred due to human error or internal intrusions. These are breaches that can be significantly decreased through employing some key risk minimisation strategies.

How to minimise the risk

So, how can you minimise your company’s compliance and reputational risk? Here are 6 things to consider:

1. Privacy risk assessment. A privacy risk assessment or PIA helps you to understand your privacy risk profile and where gaps need to be plugged. These can be done company wide, or specific to a particular project. It could save your business from the wrath of your customers and the Privacy Commissioner, including lost business, significant fines and reputational damage. In today’s environment of increased digitisation, consider whether you should expand this to include a cyber security assessment.
2. Privacy by design. Be proactive. Ensure you have a privacy and data breach policy including a Data Breach Response Plan. Your policies and procedures need to comply with the law, but also practically reflect and respond to your particular business practices and needs, including minimising human errors.
3. Integrate your policies throughout the business. Remember the key elements of any good privacy and data breach response – Develop. Implement. Train. Educate. Test. Repeat.
4. Outsourcing and cloud service providers. Don’t forget your company’s obligations under the Australian Privacy Principles to secure personal information, including if the data will be held by a service provider on or off-shore.
5. Partitioning / Information Barriers / BYOD. Think holistically about your company’s privacy strategy. Do all staff need access to every file, should there be partitioning between commercial teams or offices, does every staff member need to have access to emails, customer data etc on their own devices? If so, what measures does your company have in place to protect its and its customers’ data.
6. Patience. They say that Rome wasn’t built in a day. Nor is any appropriate approach to privacy and data breaches. Most organisations will be already well established so transitioning the company to a new normal may be challenging, others might be just starting out and facing the challenge of prudently managing company finances to get their business off the ground. Whatever your situation is, seek expert advice and have patience. A privacy and data breach culture comes from the top down. The key is to understand what you need to do now, what you legally have to do, what you commercially should do, what is a nice to have, and what can be managed later on as required. Investing now, will save you later.

Authored by:

Michael Owens, Partner
Kelly Marshall, Director

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch

Michael Owens
Partner, Brisbane
+61 7 3114 0146
michael.owens@gadens.com