A data reality check – What does GDPR and NDB mean for Australian businesses?
- 04 July, 2018 16:29
As we are all too aware the ever-changing nature of cyberattacks are a threat to online systems and organisations. From networks and applications to data exfiltration and disruption as well as single and multi-dimensional attacks, cyber criminals are driving a strong shift in the digital security space.
These persistent security threats paired with the recent introduction of General Data Protection Regulation (GDPR) last May in the UK and the Australian Notifiable Data Breaches (NDB) scheme early this year, raise some pertinent questions.
With data being used by virtually every company on the planet to better run their business, either through personalised advertising or loyalty and rewards programs, the implementation of these new pieces of legislation have forced all businesses to rethink the way they manage and protect the personal data of their customers.
What does GDPR and NDB mean for businesses?
The introduction of both GDPR and NDB means Australian businesses need to be more vigilant than ever when gathering and storing consumer data. Breach notification measures of both GDPR and NDB, empower data owners in the event of a data breach by increasing transparency between organisations and their customers or users.
Furthermore, the implementation of the mandatory notification process allows individuals to better defend themselves against the consequences of a data breach while businesses address the breach from their end. These notification schedules also enable better and more detailed documentation of data breaches, which in turn provide greater knowledge benefiting both organisations and authorities across the globe in the never-ending battle against cyber threats.
The Notifiable Data Breaches Quarterly Statistics Report from January – March 2018Office of the Australian Information Commissioner (OAIC), revealed that of the 63 reported data breaches the vast majority were the result of malicious or criminal attacks or human error. Most breaches were discovered in the health sector and it was largely contact information, including names, phone numbers, emails and home addresses that had been compromised. By sharing this information with those who may have been effected, users are able to better protect themselves by taking action to prevent their information being exploited.
The reality is that with GDPR and NDB legislation in effect, many organisations are still struggling to understand how they can best comply with these new requirements. Essentially GDPR and the NDB scheme mandate they re-assess all aspects of their data practice.
Under GDPR, all organisations need to ensure they have legitimate interest or “robust consent” from customers to collect their data. This means they must have a clearly defined data strategy which underpins every piece of data they collect. Customers also have new rights to manage their own data which has forced many businesses to revisit how they store, catalogue and retain the data they collect.
Protect your client data and your business
Along with being able to prove the data your business collects is relevant and for a specific purpose to your organisation, there is now a strong onus on businesses to report data breaches and inform users within 72 hours of the breach taking place or face massive fines, especially if the business trades in Europe.
In an ideal world data breaches would be avoided entirely, however this is not the case, and therefore it is imperative organisations do everything they can to protect customer data. Whether these threats are external or internal, accidental or intentional, it’s mandatory to implement comprehensive reviews of their data processing policies and security measures as well as clearly identifying own infrastructure’s vulnerabilities. In addition, regular reviews allow IT teams to build better defences and find better solutions.
Another good way of ensuring your organisations’ data protection complies with GDPR’s guidance is by employing robust technologies and systems which safeguard critical information infrastructure. This is particularly important as today’s cyber criminals are savvy and hyper aware of the changing cyber landscape.
They will stop at nothing to gain access to business websites through sly tactics such as multi-vector attacks – as an example, using DDoS attacks to plant ransomware or viruses and steal classified information. To meet the new data standards and avoid being hit with hefty fines and a considerable hit to reputation, companies must ensure consumers’ data is protected in an equally measured and robust way.
While achieving compliance for both GDPR and NDB is a challenge for organisations, it is not impossible. It does, however, require some thoughtful consideration and review of an organisations data policies to make sure they are up to scratch in order to fully comply with the newly introduced data protection framework. It is also imperative now more than ever for employers, employees and consumers to be proactive in continuously educating themselves and keeping up-to-date on the constantly evolving cyber-threat landscape to prevent data from falling into the wrong hands.