The Australian Government have recently passed a new privacy amendment – the Privacy Amendment (Notifiable Data Breaches) Bill 2016 – to the Privacy Act 1988. The big question is who will it affect and what can you do to prepare?
This Bill introduces mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Australian Privacy Act. When this law comes into effect (a set date is yet to be confirmed) organisations who hold any kind of private personal data of Australian citizens will need to make sure they are doing all they can to protect this information. Just like the GDPR, this is not just applicable for organisations based in Australia, but rather for any organisation globally who holds this kind of data on Australian citizens.
The main focus of this amendment is to make sure users are notified when their data has been compromised in a data breach. Organisations will need to make sure that those affected, as well as the information commissioner, are informed within 30 days of a data breach occurring.
Failure to do so can result in strict penalties; fines will be up to $360,000 for individuals, and $1.8 million for organisations with an annual turnover more than $3 million. With the law coming into effect in the not too distant future, it is important for organisations to get things in order now – Understanding what private personal data needs to be protected and starting to secure it now, and putting resources and policies in place. The best place to start is with data classification – the first step to a truly data-centric approach to protecting personal information.
- Failure to report a breach can lead to fines of up to $1.8million for organisations or $360,000 for individuals
- Affects Organisations with an annual turnover of more than $3 million
- The regulation will be enforced at some point over the next 12 months
- Organisations will need to make sure that those affected, as well as the information commissioner, are informed within 30 days of a data breach occurring.
- This is not just applicable for organisations based in Australia, but rather for any organisation globally who holds data on Australian citizens.