In addition to their regulatory obligations, the Office of the Information Commissioner (OAIC) calls on those covered by the regulation to think beyond tick box compliance.
This was in the 12-month insights report released as part of Privacy Awareness Week (PAW).
According to the report:
However, organisations must ultimately move beyond a pure compliance mindset. E Data breaches can affect any organisation, as is evident in the increasing data breach notification volumes in jurisdictions internationally.
The OAIC Commissioner Angelene Falk said that businesses should now be in a better position to comply with their obligations.
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme and take proactive measures to prevent breaches of personal information,” she said.
Falk added that this year the OAIC would be focused on raising awareness prevention and response to data breaches.
The report found that there has been 712 per cent the increase in reports under the mandatory scheme.
Of the 964 eligible breaches, 60 per cent of the breaches that have been reported under this scheme has been attributed to malicious behaviour.
35 per cent of breaches have been attributed to human and error and only 5 per cent could be attributed to a system fault.
The most common form of the malicious breach comes from successful phishing attacks.
While the OAIC said in their report that they acknowledge the effort that the business has made to minimise the damage, there is still some work for.
The report continues:
Entities should also test whether their data breach response plans and contracts adequately address all arrangements necessary in the event of a data breach, including accountabilities for assessing harm and notification and providing access to premises and information and other matters relevant to investigating data breaches.
How to get this right
The GRC Professional caught with Bronwyn Gallacher from CCL Consultants who have been looking at the developments in privacy regulation and how that would impact organisations.
Gallacher said that one of the challenges is that business may not fully be prepared to meet their obligations.
“The biggest problems facing businesses regulated by the Notifiable Data Breach (NDB) scheme is that they are largely unprepared to identify and manage a data breach quickly, appropriately and effectively. This may be attributed to a range of factors, including but not limited to, a lack of understanding of their own data holdings, not knowing where serious privacy risks lie, weak workplace practices and a data response plan that is simply not good enough.”
Gallacher shared eight fundamental principles that businesses can do to meet their
Prioritise the protection of privacy. Express this in policy so the everyone knows that this is a company-wide priority. In doing so, outline the expectations of employees and encourage a positive reporting environment to avoid bigger issues.
Conduct in-house audits to understand data holdings across your organisation. Find out what you have, where it is and how it is stored.
Carry out risk assessments to identify and assess data breach risks, and implement risk control activities. Regular risk assessments are recommended to capture vulnerable new and emerging risks.
Have the right people in place to respond to a data breach, including, where needed external subject matter experts.
Test and review your data response plan regularly to evaluate its effectiveness and identify opportunities for improvement. The aim of good continuous improvement should be an ongoing, long term approach.
Provide regular training for employees who handle personal information to increase their awareness of their responsibilities and reporting obligations, develop their understanding of the common causes of data breaches and provide them with the necessary skills to identify and avoid risk. Special focus should be given to data handling practices, how to assess the seriousness of the harm and how to report data breaches. Scenario-based teaching and case studies should be incorporated to deliver the best possible outcomes in practice.
Implement robust workplace procedures and practices to assist employees in carrying out their duties.
Improve data security. Implement best practices for success. For example, encrypt personal information, demand strong passwords that must be changed regularly, use multiple authentication systems and have the best, up-to-date security software installed. Regular assessment of data security is recommended to ensure that it is comprehensive and up-to-date.