New data protection clauses are likely to feature in future tender documentation. Is your company prepared?

From 22 February 2018 organisations in Australia will be faced with a new risk profile around compliance following updates to the Privacy Act 1988 (Cth).

The changes require agencies and organisations (with an annual turnover greater than $3 million) that hold personal information to report by law to the Office of the Australian Information Commissioner (OAIC) on actual or suspected breaches of data security.

The definition of a suspected beach is where there is either unauthorised access to, or disclosure of, personal information (including some deemed forms of personal information), or loss of information that is likely to lead to unauthorised access or disclosure (breach), and that breach would lead a reasonable person to conclude that it is likely to result in serious harm to the affected individuals. Harm can take many forms, including physical, emotional, reputational or financial.

Australia is the latest jurisdiction to join the global movement to regulate data protection.  In the US, 47 of the 50 states have their own differing requirements and definitions around data breaches, while the General Data Protection Regulation (GDPR) will introduce, in May 2018, a set of rules around organisations based in, or which retain or use data of EU citizens. Examples of this data include:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation.

What businesses should be doing to comply

It is important for businesses to demonstrate compliance with the laws by implementing internal processes that meet both assessment and notification requirements, including staff training around the new laws.

To ensure you are operationally as well as ‘tender ready’ for these new laws, organisations are strongly advised to consider, and document, how they manage risk to contain, evaluate, notify and prevent data privacy breaches.

Key considerations include (but are not limited to):

  • Processes for auditing and updating of client and customer data (eg. keeping only what is essential to operations and ensuring information is encrypted and secured)
  • An organisational chart and defined role/s of in-house or external resources responsible for management, oversight and action in case of a data breach (eg. technical forensics analyst, legal counsel and communications specialist)
  • Processes and (internal/external) systems in place around information assessments, containment of data detection breaches, data breach response planning, testing, reviews, updates and immediate action.

With consumers and businesses now more informed than ever, companies – not the hacker – need to be prepared to be blamed for lost data in the event of a breach. As stewards of data, companies that fail to comply with the new rules may face serious consequences. Prevention, transparency and responsiveness will no doubt be the new mandatory criterion around data privacy.