22 February will mark the anniversary Notifiable Data Breach (NDB) scheme.
The Office of the Australian Information Commissioner (OAIC) will soon publish their first quarterly report for 2019.
In addition to the NDB scheme, the Australian some organisations have also had to assess their exposure to the General Data Protection Regulation (GDPR) and the implications that BREXIT will have with the UK's privacy laws.
Last year, Madgwicks Lawyers Partner Dudley Kneller spoke at GRC2018 Event Series about the compliance with privacy regulation.
The GRC Professional caught up with him recently, to get a sense of how organisations are meeting their obligations.
Kneller said that prior to the NDB, there was a low number of notifications being sent to the OAIC, but numbers spiked after the legislation.
“The forced requirement to notify has really had an impact in terms of organisations that are required to comply with the privacy act effectively fessing up to breaches when they occur.”
He explained that the initial response to when the legislation was first introduced, he said that there seemed to be lack awareness particularly within the first six months of the requirements of the obligations.
“I think there were some larger organisations that seemed to be ready for the obligations and understood what was required of them.”
But small and medium-sized organisations did not seem to be aware of the requirement.
However, the 2018 quarterly reports helped to shed light on vulnerable areas for regulated entities.
Kneller said that organisations took a conservative approach towards to notifications, so if there was any doubt they took the position that it was best to notify the regulator.
“I think over time as we got to understand or got more comfortable with the concept of what constitutes serious harm and again that is not something that is defined in the Act,” he said.
This has to with the time put in response procedures and important workflows.
Another bit of legislations Kneller said that he had been working on clients with is the introduction of the GDPR.
Many Australian originations needed to figure if they had to comply and now also have to figure out the ‘complexities’ around BREXIT.
Kneller said that many larger institutions were trying to figure whether should manage this regulation form Australia or if they also needed to bring in some lawyers form the UK and the EU.
Regulatory risk is playing a big role, and this includes if they then include the raft regulation that has come into place for the financial services.
“Sort of a raft of new and likely introduced legislation around how we do business in Australia in particular sectors and that is the huge cost of doing business and the role of the legal and risk function will increase.”