Time is running out for businesses to get their house in order before the European Union’s General Data Protection Regulation (GDPR) comes into effect. Once that happens, we’ll start to see the true picture of the scale of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses. Furthermore, the impacts of not complying will be felt across borders, and Australian businesses need to remain up to date as to the implications this could have on their business operations. Up until 25 May 2018, EU businesses will be able to get away with keeping breaches from their customers, but this will change as the focus will be on protecting data going forward.
Similarly to the EU, Australia is following suit with the Privacy Amendment (Notifiable Data Breaches) Bill 2016 that was passed in Parliament on 13 February 2017 and will be enacted into law on 22 February 2018. Because of mandatory data breach requirements (MDB), businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. It is also important to note that MDB, much like the GDPR, will affect all organisations and customers globally that have dealings with companies in Australia.
So how can businesses ensure they are compliant and what steps do they need to take? We’ve included our six-step process below:
Step one – Understand the legal framework
In order to meet compliance, businesses first need to understand the legislation as well as the implications. This can be achieved by doing a compliance audit against the legal framework. Part of this compliance audit is hiring a data protection officer to explain the regulations and apply them to the business. This person would need to have a combined knowledge of both the legal and technology sector so they understand both the regulatory framework and the technical specifications needed to meet this. As each organisation is unique, the road to compliance will be different as well.
Step two – Create a data register
Once businesses have better visibility of their ability to meet legal requirements, they need to keep a record of the process by developing a data register. Each country has a data protection association (DPA), which will be responsible for enforcing the legislation. It is this organisation that will judge whether a business has been compliant when determining any potential penalties for being breached. Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its data register.
Step three – Classify your data
Businesses need to understand what data needs to be protected and how it should be protected. Firstly, they must find any personal identifiable information (PII) of their customers and must identify where this data is being stored, who has access to it, who it is being shared with, and more. Then they can determine which data is of higher importance and what is more vital to protect, based on its classification. This also means knowing who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.
Step four – Start with your top priority
Once the data has been identified, businesses need to assess the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. When looking at the most private data or applications, businesses should always ask if they really need that information and why. This data is extremely valuable to hackers and cybercriminals and therefore has the highest risk of being breached. Businesses should complete a privacy impact assessment (PIA) and data protection impact assessment (DPIA) of all security policies, evaluating data life cycles from origination to destruction points. It’s important to remember when doing this, the rights of users and customers, including data portability and restriction of processing.
From here, companies should evaluate their data protection strategies. How exactly are they protecting the data? This must focus on the data they are producing, data which has been backed up and historical data that can be used for analytical purposes. Businesses must ask themselves how they are anonymising this data to protect the privacy and identification of the users it relates to. Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed – and then it should be destroyed in the correct manner.
Step five – Assess and document additional risks and processes
Aside from the most sensitive data, the next stage is to assess and document other risks, with the goal of finding out where the business might be vulnerable during other processes. As this is being done, it is vital businesses keep a roadmap document to show the DPA how and when they are going to address these outstanding risks. It’s these actions that show the DPA that the business is taking compliance and data protection seriously.
Step six – Revise and repeat
The last step is all about revising the outcome of the previous steps and remediating any potential fall out, amending and updating where necessary. Once this is complete, businesses must determine their next priorities and repeat the process from step four.
From next year, companies will no longer have the luxury of hiding their breaches. Those that fail to show they have the right measures in place – or are at least making efforts to – will face fines and undoubtedly a big hit to their reputation. In a year’s time, we’ll start to get the real picture of how seriously businesses are taking the security of their data – and the number of breaches really taking place.
By Graeme Pyper, regional director, Australia and New Zealand at Gemalto
Related stories:
EU data rules stoke AU firms’ compliance fears
Data breaches cause for alarm among corporate counsel, survey reveals