Get your organization GDPR compliant by downloading our comprehensive GDPR resource kit.


It’s been just under a year since EU-GDPR came into effect and we’ve already seen the influence it’s had on countries trying to improve their local/national privacy acts. For instance, in one of our previous blog posts we discussed how Australia introduced a mandate that organizations have an “obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.”

The number of breaches reported under the Australian Notifiable Data Breaches scheme by quarter — All sectors. Link to full report can be found here.

The New Zealand privacy bill is also planning to introduce a mandatory data breach notification scheme and, if adopted, local organizations will need to be ready and able to follow the new requirements. Failure to comply with such requirements could end up costing an organization a fine of up to $10,000, and individuals whose data has been part of a breach may also reach out to the Human Rights Tribunal for damages on the basis of interference with privacy.

What is considered a data breach?

Under the Bill, a “privacy breach” means any unauthorized access to or disclosure, alteration, loss, or destruction of personal information, in addition to any actions that prevent the agency from accessing the information on either a temporary or permanent basis.

How do you prepare for the new privacy regulation requirements?

To be able to meet these requirements, now would be a good time to review and update your company policies, procedures, and best practices. Here are several key questions you need to be able to answer:

  • Does your organization collect or work with personal information? If yes, can you identify what personal information is?
  • Does your company have appropriate security controls in place?
  • Do your employees know how to identify a data breach?
  • Does your company have a data breach policy and procedure?
  • Does your company keep a detailed record of where information is stored, who has access to it, how long it’s kept for and how it’s destroyed?
  • Does your company evaluate third-party vendors or data processors in respect to their privacy obligations?
Enterprise Risk Management (ERM) helps you implement an inventory and risk register for data flows across the organization. It also helps automate privacy and security (by design and by default) and automates risk and data protection impact assessments.

Reading and understanding laws, regulations and standards is a must. Here are some vital tips we’ve picked up from working with clients throughout their GDPR journeys over the past 15 months:

Review

Review your existing policies, procedures, and guidelines to ensure that they’re aligned with the new Privacy Act regulation.

Implement

Implementing privacy and security by design can save you a lot of time. However, this requires a certain skill set and toolset.

Track Your Assets

Make sure you know your assets. Keep tabs on the data you collect, store, use, and especially who you share it with. Asset Inventory, Data Mapping, and Data Flow have been top priorities for our customers who’ve been obliged to follow EU-GDPR’s requirements, and it’s a nice way to identify potential risk for data transfer before it happens.

New Zealand's latest privacy bill is adopting provisions from EU-GDPR. Check it out: Click To Tweet

Assess

Privacy, security, and risk impact assessments are part of privacy and security by design. Even if the asset or your new project isn’t involving personal information, it’s still a good practice to do an impact assessment and show due care/due diligence.

Be Agile

Finally, having an easy to use (and fast) process to respond to Data Subject Access Requests (DSAR) also known as Freedom of Information Act Requests. With all these new privacy regulations, individuals have more rights/freedoms with how information is used by organizations.

That said, this also may add more cost to the organization if an individual expresses their right and submits a DSAR.  In the case of James Titcombe’s Freedom of Information request to the Nursing and Midwifery Council, the cost was estimated to be about £239,871.85 (close to $315,000 USD).

Next Steps

There’s a lot that goes into keeping your data as secure as possible, especially when it comes to larger organizations. AvePoint’s Compliance Guardian gives you powerful risk identification and evaluation tools to help you stay on top of any potential threats. Learn how to get a handle on enterprise risk management here.

For more on GDPR, check out these resources:


Want more coverage on GDPR developments? Be sure to subscribe to our blog!