Data breaches and the GDPR – the new frontier of privacy regulation in Australia

In Australia, as well as internationally, this year has brought significant developments in the area of privacy regulation that may affect your business. Two areas of privacy compliance in particular that Australian businesses need to understand and respond to are:

• the Notifiable Data Breaches Scheme (NDB Scheme); and
• the European Union’s General Data Protection Regulation (GDPR).

The Notifiable Data Breaches Scheme

The NDB Scheme which commenced in February this year sets out requirements for when and how an entity should respond to an eligible data breach (as reported in detail in our previous update).

The NDB Scheme introduced an obligation to notify the Australian Information Commissioner (Commissioner) and any individual whose personal information was involved in a data breach (for example, where personal information is lost or stolen due to hacking), in circumstances where it is likely that the data breach will result in serious harm to the individual. The Commissioner then has the power to determine whether any further steps are necessary.

Since the NBD Scheme commenced, 305 eligible data breaches have been reported to the Commissioner with malicious or criminal attacks causing the largest number (i.e. cyber theft or hacking), followed by human error.

The Commissioner identified that the risks of these types of data breaches can be reduced by ensuring employees responsible for handling personal information receive regular training.

As well as being mindful of notification obligations should a data breach arise, it is incumbent upon businesses to ensure they have adequate security measures in place to protect the personal information of key stakeholders, such as customers and employees.

Hall & Wilcox can assist you to prepare data breach response plans, review privacy and security governance arrangements and train your employees on your business’ obligations and general security obligations. We can also manage the process and advise on legal exposures should your business suffer a data breach.

The EU’s General Data Protection Regulation

On 25 May 2018, the GDPR commenced operation. In terms of privacy regulation, there is a widely held view that the EU has set the global high water mark, with the GDPR offering individuals in the EU an unprecedented level of privacy protection.

Australian businesses may need to comply with the GDPR if they:

• have an establishment in the EU; or
• do not have an establishment in the EU, but offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.

With European regulators having the power to impose huge fines on businesses found to be in contravention of the GDPR (up to 4% of annual worldwide turnover), this is an area of privacy regulation you need to be aware of. We can assist you to navigate the new frontier of privacy regulation where international privacy laws can significantly affect Australian businesses.