Secure your business

An effective approach to security's year of compliance

2018 has seen a greater focus on compliance than ever before, with new laws in effect that businesses need to align their security frameworks to.

Navigating the year of new security compliance

Around the world, legislative bodies are examining the relationship between cyber security and privacy more closely, as high-profile data breaches drive greater public awareness of how personal data is being stored and protected.

Coincidentally, two major pieces of legislation have come into effect within the last six months; the Commonwealth Government’s amendments to the Privacy Act 1988, as well as the European Union’s expansive General Data Protection Regulation (GDPR).

Let’s take a closer look at what these laws mean for Australian businesses.

Notifiable Data Breaches (NDB) Scheme

In Australia, the Federal Government created new data breach notification laws which, from late February 2018, require businesses with more than $3 million annual turnover to disclose data breaches involving personal data that might result in “serious harm” to an individual.

In the Telstra Security Report 2018, 87 per cent of Australian businesses responded they were already “actively adhering” to the Privacy Act 1998 last year. This Notifiable Data Breach amendment to the act now requires organisations to have an incident detection and reporting workflow in place, as well as architecture to notify customers and the Privacy Commissioner within 30 days of becoming aware of a breach.  

In the period 1 April to June 30 2018, there were 242 notifications received by the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. 

General Data Protection Regulation (GDPR)

Compared to the Privacy Act, the GDPR has a much broader remit. The GDPR relates to the data of EU citizens, and requires organisations to notify customers within 72 hours of a breach. In addition to breach reporting, businesses have to allocate new roles for data protection, provide justification for the customer data they hold and create workflows for deleting a single customer’s data as part of “the right to be forgotten”.

With potential fines of up to €20 million or 4% of annual turnover, the GDPR is requiring Australian businesses to rethink not only their own data security and procedures, but that of their partner organisations and vendors too.

Awareness of this regulation has increased substantially over the last year, with a global survey conducted by Citrix finding that around 67% were aware of the GDPR in 2017, and the Telstra Security Report 2018 finding that 84% of organisations were actively looking at the regulation in anticipation of its May 2018 date of effect. 

Navigating a complex environment

For Australian organisations who also hold EU citizen data, building workflow processes which accommodate a 72 hour turnaround will help you to meet both NDB and GDPR requirements at once.

Of course, strict compliance requirements are nothing new for security professionals, especially for those involved in processing payments through the PCI Data Security Standard or navigating national data sovereignty laws.

The principle challenge for organisations is to find ways to effectively approach multiple compliance regimes at once and minimise their disruption to the business. While each piece of legislation has its own unique requirements, understanding your existing data security posture is a prerequisite to approaching most compliance regimes.

As businesses collect data in more ways than ever before, conducting a proper security audit can be an immense, albeit important task.

At Telstra, we’ve developed the “Five Knows of Cyber Security” to provide a baseline for understanding your security posture. 

The five knows are:

  1. Know the value of your data.
  2. Know who has access to your data.
  3. Know where your data is.
  4. Know who is protecting your data. 
  5. Know how well your data is protected.

However, it can be difficult to effectively establish the value of data and how well it’s protected when multiple stakeholders from different business units are involved. Marketing, legal, HR and IT often have competing priorities when it comes to data visibility, value and protection, which can be difficult to synergise into a holistic strategy.

In addition to establishing compliance, identifying opportunities to combine overlapping compliance reporting can help keep overheads down. 

Understanding the security of your existing data is the first step to approaching compliance. Find out how we can help you understand your position with our Cyber Security Health Check.

Find out how

Related News

Harnessing IoT to protect our precious resources
Create transformative innovation
Create transformative innovation
Harnessing IoT to protect our precious resources

The Internet of Things (IoT) is helping to better conserve, monitor and intelligently manage the utilities that we all depend on: electricity, gas and water. Whether it's savin...

Paper be gone: FACS embraces mobile working
Liberate your workforce
Liberate your workforce
Paper be gone: FACS embraces mobile working

How the NSW Department of Family and Community Services' (FACS) Housing Connect digital transformation program is helping staff spend more time with the tenants who need them. ...

Drakes Supermarkets: A case study in network resiliency
Optimise your IT
Optimise your IT
Drakes Supermarkets: A case study in network resiliency

How Drakes Supermarkets revamped its 50-store IT system and network with new tech to be more efficient, resilient and easier to manage. For businesses with a number of location...

Navigating the year of new security compliance
Secure your business
Secure your business
Navigating the year of new security compliance

Between the introduction of the General Data Protection Regulation and the Notifiable Data Breach scheme, the time is right to rethink your approach to security compliance legi...