The Australian Government have recently passed a new privacy amendment – the Privacy Amendment (Notifiable Data Breaches) Bill 2017 on the 13th February 2017 – which started a process that means from 22nd February 2018, all entities covered by the Australian Privacy Principles (APPs) will have clear obligations to report eligible data breaches. The big question is what can you do to ensure you are compliant?
This Bill introduces mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Australian Privacy Act. When this law comes into effect on the 22nd February 2018, organisations who hold any kind of private personal data of Australian citizens will need to make sure they are doing all they can to protect this information. Just like the GDPR, this is not just applicable for organisations based in Australia, but rather for any organisation globally who holds this kind of data on Australian citizens.
The main focus of this amendment is to make sure users are notified when their data has been compromised in a data breach. Organisations will need to make sure that those affected, as well as the information commissioner, are informed within 30 days of a data breach occurring.
Failure to do so can result in strict penalties; fines will be up to $360,000 for individuals, and $1.8 million for organisations with an annual turnover more than $3 million. With the law coming into effect in the not too distant future, it is important for organisations to get things in order now – Understanding what private personal data needs to be protected and starting to secure it now, and putting resources and policies in place. The best place to start is with data classification – the first step to a truly data-centric approach to protecting personal information.
- Failure to report a breach can lead to fines of up to $1.8million for organisations or $360,000 for individuals
- Affects Organisations with an annual turnover of more than $3 million
- The regulation will be enforced from the 22nd February 2018
- Organisations will need to make sure that those affected, as well as the information commissioner, are informed within 30 days of a data breach occurring.
- This is not just applicable for organisations based in Australia, but rather for any organisation globally who holds data on Australian citizens.