All businesses that are currently subject to the Privacy Act will have new mandatory data breach notification obligations from 22 February 2018.
With new obligations under the European Union General Data Protection Regulation (EU GDPR) also applying to many Australian businesses, now is the time to finalise your updated privacy procedures.
Step 1 – understand your obligations. You will need to have an understanding of the new mandatory data breach notification requirements and, if you handle EU customer information, of the GDPR requirements.
Step 2 – audit your existing systems. Do you have clear, simple plans for changing passwords, limiting access, editing or removing online information and notifying the right people internally? Assess the likely security risks in your organisation and consider possible weak points.
Step 3 – audit your suppliers. You will need to review vendor contracts, specifically for IT vendors, to check whether you have appropriate privacy requirements in place for your suppliers. Have you identified suppliers you can call on to help you identify, cap and respond to breaches?
Step 4 – update your plan. Many organisations will already have data breach response plans in place. Check whether these are up to date – current people, contact details and systems need to be added. Plans will need to be updated to reflect Australian mandatory reporting obligations and GDPR requirements. In particular, for GDPR requirements, you need to note the 72 hour timeframe for notification. Ensure that your privacy policy is up to date – we see a lot of privacy policies that were drafted before the changes of the last few years and haven’t been updated.
Step 5 – test your plan. Run through possible scenarios to ensure that you have the right procedures and systems in place.
You should ensure that your procedures are ready during the next month.
We can help you with a privacy toolkit including details of the new requirements, updated policies, procedures and reviews to ensure that you are ready for February. If you would like to discuss our privacy toolkit, contact us.