By David Braue
June 13, 2017
With so much emphasis on impending obligations under the federal government's Notifiable Data Breaches (NDB) regime, many Australian companies are yet to appreciate their obligations under new European privacy guidelines that will go into effect just 3 months after the NDB.
The new European Union GDPR (General Data Protection Regulation) is an extensive rewrite of the EU's privacy laws that emphasises protection of personally identifiable information (PII) and rights including the right for consumers to access data about them; the 'right to be forgotten'; breach notification requirements; data portability requirements; design of systems using 'privacy by design' principles; and the formal appointment of Data Protection Officers (DPOs) to manage data practices within companies whose operations "require regular and systemic monitoring of data subjects on a large scale".
Any CIO or CSO who hasn't carefully read through the changes may be up for an unpleasant shock when they do - and even more so, Symantec's APJ director of government affairs Brian Fletcher told CSO Australia, because the GDPR is both binding on many Australian companies and does not feature exemptions for small businesses like the NDB does.
This means if small Australian businesses (with revenues under the NDB's $3 million per annum threshold) are serving customers in Europe - something that has become commonplace for anybody doing business online - they need to develop formal policies for breach notification within 72 hours of the breach even though such policies are not required under the new Australian legislation.
"There is very little recognition that the GDPR is going to be extraterritorial," Fletcher explained. "It defines a particular structure around privacy, and you have to bring your products to market in a privacy-default way. And anyone who collects anything that is private data needs to comply."
The need to appoint a formal DPO is, Fletcher warned, designed to escalate the privacy discussion to the board level and keep it there - something that has been challenging for many cybersecurity leaders whose employers aren't necessarily as engaged with their cybersecurity practices as they should be.
"Australian companies need to be careful of the fact that these restrictions impact along the entire length of their data supply chain," he said. "Anything that could identify a person needs to be treated as privacy data under the GDPR. You need to prove that you're doing the right thing all the time."
Many companies are demonstrably doing the right thing, all the time. Threat-management firm RiskIQ, for one, recently audited 99,467 Web sites belonging to FTSE 30 companies and found that 34 percent of the 13,194 pages collecting PII aren't even bothering to secure it. This includes 3.5 percent that are using old, crackable encryption algorithms; 1.5 percent with expired digital certificates; and 29 percent that are not using any encryption at all.