All businesses that are currently subject to the Privacy Act will have new mandatory data breach notification obligations from 22 February 2018.
With new obligations under the European Union General Data Protection Regulation (EU GDPR) also applying to many Australian businesses, now is the time to finalise your updated privacy procedures.
Step 1 – understand your obligations. You will need to have an understanding of the new mandatory data breach notification requirements and, if you handle EU customer information, of the GDPR requirements.
Step 2 – audit your existing systems. Do you have clear, simple plans for changing passwords, limiting access, editing or removing online information and notifying the right people internally? Assess the likely security risks in your organisation and consider possible weak points.
Step 3 – audit your suppliers. You will need to review vendor contracts, specifically for IT vendors, to check whether you have appropriate privacy requirements in place for your suppliers. Have you identified suppliers you can call on to help you identify, cap and respond to breaches?
Step 5 – test your plan. Run through possible scenarios to ensure that you have the right procedures and systems in place.
You should ensure that your procedures are ready during the next month.
We can help you with a privacy toolkit including details of the new requirements, updated policies, procedures and reviews to ensure that you are ready for February. If you would like to discuss our privacy toolkit, contact us.