GDPR: the new Notifiable Data Breach on the block
Article written by Sophos general manager Australia and New Zealand Ashley Wearne
Australian organisations have already made the necessary adjustments (or at least they should have), to ensure they are compliant with NDB (Notifiable Data Breach) laws introduced in late February this year. But if locally-based organisations control, collect or share any personal data belonging to EU citizens, they will also need to be compliant with the soon-to-be-introduced GDPR (General Data Protection Regulation).
GDPR officially came into effect on Friday and any business that now finds itself not in compliance could be hit with big fines (up to €20m or 4% of an organisation’s annual global turnover). However, it’s not just the monetary consequence that organisations should be concerned with – the severity of reputational damage has the potential to far outweigh the financial cost.
The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed and shared, as well as visibility into how and where that data is used; placing greater accountability on the organisations holding it. This may require that some organisations review their processes and policies around data management as well as assessing whether or not the data they have is still business critical.
Organisations can no longer collect user data haphazardly; GDPR requires that they only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented. This means that the value of data will shift from being an asset to a potential liability if it is not handled or managed properly. An effective way for organisations to reduce the risk is by permanently deleting data which is no longer needed and to ensure they protect the rest of it.
While reducing the risk of a breach is undoubtedly important for reaching compliance, organisations also need to look at what can be done to stop incoming breach attempts. A three-pronged approach is essential when it comes to protecting an organisation from a breach. This includes;
1. Stop hacking and malware – invest in security software that blocks malware from making it into your system
2. Secure lost or stolen devices – take control from a central location and remove sensitive data if something happens to the device
3. Reduce impact of human error – work with employees to ensure they’re on the lookout, GDPR compliance is everyone’s responsibility
Data handlers will also need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organisation is entrusted with their PII (Personally Identifiable Information). This is to ensure full disclosure between both parties and avoid any ‘nasty surprises’.
EU citizens can request information on the data held about them, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.
Finally, GDPR requires that organisations become much more proactive in disclosing a data breach, should one occur. It mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery, allowing the person/s affected to take any necessary action i.e. notifying their banks. This means that data protection is not just an IT issue, but a board-level issue too. It’s something that all employees should take a level of responsibility of, to ensure they have a sound understanding of the regulations.
GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalising processes to meet the new mandates’ requirements. The new regulation has been put in place for the safety and privacy of consumers – something that organisations should keep in mind.
Over the years, we’ve seen the frequency of hacking and data breaches on the rise with a number of organisations trying to cover up their mistakes by keeping silent. Organisations will now be required to do the right thing by their customers in the event of a data breach.
The good news is that GDPR laws have come at an arguably good time for Australian organisations, as over the past 6-12 months they’ve been reviewing and updating processes and policies to ensure they’re NDB compliant. For those that maintain data on EU citizens, the same must be done now to ensure they are GDPR compliant.