Secure your business

An effective approach to security's year of compliance

2018 has seen a greater focus on compliance than ever before, with new laws in effect that businesses need to align their security frameworks to.

Navigating the year of new security compliance

Around the world, legislative bodies are examining the relationship between cyber security and privacy more closely, as high-profile data breaches drive greater public awareness of how personal data is being stored and protected.

Coincidentally, two major pieces of legislation have come into effect within the last six months; the Commonwealth Government’s amendments to the Privacy Act 1988, as well as the European Union’s expansive General Data Protection Regulation (GDPR).

Let’s take a closer look at what these laws mean for Australian businesses.

Notifiable Data Breaches (NDB) Scheme

In Australia, the Federal Government created new data breach notification laws which, from late February 2018, require businesses with more than $3 million annual turnover to disclose data breaches involving personal data that might result in “serious harm” to an individual.

In the Telstra Security Report 2018, 87 per cent of Australian businesses responded they were already “actively adhering” to the Privacy Act 1998 last year. This Notifiable Data Breach amendment to the act now requires organisations to have an incident detection and reporting workflow in place, as well as architecture to notify customers and the Privacy Commissioner within 30 days of becoming aware of a breach.  

In the period 1 April to June 30 2018, there were 242 notifications received by the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. 

General Data Protection Regulation (GDPR)

Compared to the Privacy Act, the GDPR has a much broader remit. The GDPR relates to the data of EU citizens, and requires organisations to notify customers within 72 hours of a breach. In addition to breach reporting, businesses have to allocate new roles for data protection, provide justification for the customer data they hold and create workflows for deleting a single customer’s data as part of “the right to be forgotten”.

With potential fines of up to €20 million or 4% of annual turnover, the GDPR is requiring Australian businesses to rethink not only their own data security and procedures, but that of their partner organisations and vendors too.

Awareness of this regulation has increased substantially over the last year, with a global survey conducted by Citrix finding that around 67% were aware of the GDPR in 2017, and the Telstra Security Report 2018 finding that 84% of organisations were actively looking at the regulation in anticipation of its May 2018 date of effect. 

Navigating a complex environment

For Australian organisations who also hold EU citizen data, building workflow processes which accommodate a 72 hour turnaround will help you to meet both NDB and GDPR requirements at once.

Of course, strict compliance requirements are nothing new for security professionals, especially for those involved in processing payments through the PCI Data Security Standard or navigating national data sovereignty laws.

The principle challenge for organisations is to find ways to effectively approach multiple compliance regimes at once and minimise their disruption to the business. While each piece of legislation has its own unique requirements, understanding your existing data security posture is a prerequisite to approaching most compliance regimes.

As businesses collect data in more ways than ever before, conducting a proper security audit can be an immense, albeit important task.

At Telstra, we’ve developed the “Five Knows of Cyber Security” to provide a baseline for understanding your security posture. 

The five knows are:

  1. Know the value of your data.
  2. Know who has access to your data.
  3. Know where your data is.
  4. Know who is protecting your data. 
  5. Know how well your data is protected.

However, it can be difficult to effectively establish the value of data and how well it’s protected when multiple stakeholders from different business units are involved. Marketing, legal, HR and IT often have competing priorities when it comes to data visibility, value and protection, which can be difficult to synergise into a holistic strategy.

In addition to establishing compliance, identifying opportunities to combine overlapping compliance reporting can help keep overheads down. 

Understanding the security of your existing data is the first step to approaching compliance. Find out how we can help you understand your position with our Cyber Security Health Check.

Find out how

Related News

Building Asia Pacific’s leading subsea cable network
Reach global markets
Reach global markets
Building Asia Pacific’s leading subsea cable network

Telstra’s Michael Ebeid, Group Executive, Enterprise shares what he thinks is Telstra’s best kept secret, and how Telstra aims to use this to deliver the best connectivity to b...

Putting a spotlight on businesses that push boundaries
Create transformative innovation
Create transformative innovation
Putting a spotlight on businesses that push boundaries

We take a look at two of last year’s Telstra Business Awards winners, their journey to success, and learn about the opportunities for medium sized businesses to get recognised ...

The biggest game-changing feature of 5G
Create transformative innovation
Create transformative innovation
The biggest game-changing feature of 5G

Every new generation of mobile technology, from 1G to 4G, has heralded faster speeds and more functionality. Now we are headed towards 5G – the next-generation of wireless tech...

See your organisation through a new lens
Secure your business
Secure your business
See your organisation through a new lens

We explore the business possibilities unlocked by leveraging data and analytics from electronic security systems to make better decisions. As technology evolves, for example as...