Data protection and the human error curse: Part 2 | How CEOs and Directors can avoid the wrath of customers and the Privacy Commissioner
12 February 2021
In Part 2 of our Data protection series, Kelly Marshall looks at six key things CEOs and Directors can do now to minimise data breach compliance and reputational risk.
Our previous article Data protection and the human error curse: Part 1 | Why CEOs and Directors need to be concerned looked at why it is so important for CEOs and Directors to be aware of the Data Breach laws.
Recap – which companies does it apply to again?
You’ll remember that the data breach compliance obligations apply to:
- ‘APP Entities’ (i.e. government agencies and organisations with an annual turnover of $3 million or more)
- credit reporting bodies and providers;
- companies that deal with personal or health information;
- companies that hold Tax File Number information.
It is only a matter of time: Why data breach compliance is so important
Data breaches are now the norm. We have moved from an it’s not ‘if’ a data breach may occur, but ‘when’ environment to an it’s not ‘when’ a data breach will occur but ‘how often’.
Why is compliance important? Misuse of your customer’s personal data, including failing to adequately respond to a data breach, can cost your company its customers, business relationships and reputation, and incur significant legal and compliance costs.
A third of all data breaches reported to the OAIC for the January to June 2020 period occurred due to human error or internal intrusions. These are breaches that can be significantly decreased through employing some key risk minimisation strategies.
How to minimise the risk
So, how can you minimise your company’s compliance and reputational risk? Here are 6 things to consider:
- Privacy risk assessment. A privacy risk assessment or PIA helps you to understand your privacy risk profile and where gaps need to be plugged. These can be done company wide, or specific to a particular project. It could save your business from the wrath of your customers and the Privacy Commissioner, including lost business, significant fines and reputational damage. In today’s environment of increased digitisation, consider whether you should expand this to include a cyber security assessment.
- Privacy by design. Be proactive. Ensure you have a privacy and data breach policy including a Data Breach Response Plan. Your policies and procedures need to comply with the law, but also practically reflect and respond to your particular business practices and needs, including minimising human errors.
- Integrate your policies throughout the business. Remember the key elements of any good privacy and data breach response – Develop. Implement. Train. Educate. Test. Repeat.
- Outsourcing and cloud service providers. Don’t forget your company’s obligations under the Australian Privacy Principles to secure personal information, including if the data will be held by a service provider on or off-shore.
- Partitioning / Information Barriers / BYOD. Think holistically about your company’s privacy strategy. Do all staff need access to every file, should there be partitioning between commercial teams or offices, does every staff member need to have access to emails, customer data etc on their own devices? If so, what measures does your company have in place to protect its and its customers’ data.
- Patience. They say that Rome wasn’t built in a day. Nor is any appropriate approach to privacy and data breaches. Most organisations will be already well established so transitioning the company to a new normal may be challenging, others might be just starting out and facing the challenge of prudently managing company finances to get their business off the ground. Whatever your situation is, seek expert advice and have patience. A privacy and data breach culture comes from the top down. The key is to understand what you need to do now, what you legally have to do, what you commercially should do, what is a nice to have, and what can be managed later on as required. Investing now, will save you later.
Michael Owens, Partner
Kelly Marshall, Director
This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.