GDPR’s Younger Brother: New Australian Privacy Regulations

Post Date: 06/15/2018
feature image

Learn how Microsoft’s powerful AI can help prevent sensitive documents from being surfaced in our upcoming webinar on Tuesday, June 26th at 11:00am EST hosted by Dux Raymond Sy. Register for free!

I recently had the pleasure of attending the FST Government New South Wales 2018 event as a round table moderator. We had exciting discussions with many Australian agencies on topics such as Data, Customer Experience, Digital on the Inside, etc., but my personal highlight was discussing Cybersecurity and Data Protection.  

Data protection is an important factor in doing business and providing services to both individuals and the public. One of my favorite points made during a Q&A was that implementing privacy and security policies should be seen as positive actions that can encourage return on investments. 

There’s a lot of noise around GDPR and the penalties companies could face for not being compliant or having a data breach. In Australia, we see that the Australian Government Agencies Privacy Code (commencing July 1st 2018) is also moving towards a best practice approach for better governance across Australian Government Agencies.   


One of the many similarities between GDPR and the Australian Government Agencies Privacy Code is that agencies will need to undertake a written Privacy Impact Assessment (PIA) for all “high risk” projects. It also states that agencies should keep a register of all the PIAs and make the information accessible to the public on their respective websites.  

Do you need help with GDPR compliance? Sign up for our free GDPR resource kit here.

The Australian Government had quite an interesting background in 2015 with PIAs not being a part of the standard approach to most of the national security measures. These impact assessments are the first step of the “Privacy and Security by Design” concept found in many worldwide laws and regulations.

Being involved in the privacy and security space for many years, I must emphasize that the Office of the Information Commissioner’s website has one of the best interactive guides I’ve seen on how to undertake a PIA. I would highly recommend the eLearning course for anyone interested. 

APIA is a technology solution that mitigates the risk inherent with manual privacy impact assessments, helping organizations understand and automate the process of evaluating, assessing, and reporting on the privacy implications of their enterprise IT systems.

Another recent update that Australian Government Agencies and various organisations will have to follow is the mandatory data breach or Notifiable Data Breach (NDB) scheme. Similarly to GDPR, this will require organizations to notify the appropriate authorities within 72 hours if a data breach occurs. Failure to comply with the NDB scheme or not having a solution to report, alert or prevent a potential data breach could cost organisations up to $2.1 Million (body corporate) or up to $420,000 (civil penalty).  

Since the NDB Scheme went into effect on February 22 of this year, the number of reported breaches is quite interesting compared to before the NDB scheme coming into effect. The 55 reported data breaches in March is a big difference compared to the complete absence of incident reports in January.

This may mean that companies will face significant challenges if found unprepared to comply. Implementing privacy and security by design (or from the start of every project) could potentially save organisations both time and money.  

Enterprise Risk Management (ERM) helps you implement an inventory and risk register for data flows across the organization. It also helps automate privacy and security (by design and by default) and automates risk and data protection impact assessments.

For more information on how to better prepare for Data Breach, I highly recommend the NSW Data Breach Guidance resources. This resource mentions the impact of GDPR to agencies and has helpful best practices in preventing and responding to data breaches.  

Another great resource is the Guide to Data Analytics and the Australian Privacy Principles. Data analytics or sharing data between agencies was one of the most discussed topics during the round table discussion, and these activities can often pose a significant impact on an individual’s privacy if not handled accordingly. 

Be sure to subscribe to our blog for plenty more on privacy and security.


During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.

View all post by Esad I.

Subscribe to our blog