Governance Best Practices

Data whereabouts critical under new privacy laws

Knowing where your data is stored is critical as cloud computing becomes universal and governments here and overseas get tougher on data breaches. The concept of data sovereignty, where data is stored on localised cloud infrastructure rather than being piped offshore, has become popular among Australia-based organisations. A new wave of privacy regulation that tightens compliance requirements is helping push the trend.

While having localised cloud is clearly not the entire story with a well-constructed cyber resilience plan it does mean an organisation has some precision on where its data lives. It also means access to local assistance should something go wrong.

The Facebook data breach 

A string of notable data breaches this year have added urgency to the need for organisations that deal with customer data to be across and complaint with tougher privacy legislation.

One of the most prominent incidents has been the Facebook breach that came to light in September.

Facebook revealed about 30 million user accounts were affected by a hack and 14 million Facebook users had their names, contact details, gender, relationship status and recent location check-ins exposed.

After the breach, Facebook found itself under investigation by the European Union (EU) using the powerful, new EU General Data Protection (GDPR) legislation.

The GDPR became enforceable in May and provides for fines for violators of up to €20 million or up to 4% of the annual global turnover. The law takes whichever of these amounts is greater.

GDPR not only applies to enterprises dealing with data inside the EU but any enterprise, regardless of location, that processes personal data of people inside the EU.

Under the GDPR, the Irish Data Protection Commissioner opened a formal investigation of the Facebook breach. The company could face a potential maximum fine of US1.6 billion.

While Australian enterprises with data collection operations in the EU need to make sure they are compliant with GDPR, we now also have active, home-grown data protection legislation.

Majority of SMB’s still yet to adopt Notifiable Data Breach scheme

This year saw the introduction of the Notifiable Data Breach (NDB) scheme which is administered by the Office of the Australian Information Commissioner (OAIC).

The NDB legislation puts fresh teeth into the Privacy Act and requires organisations to notify the OAIC and affected individuals of what are called eligible data breaches (EDBs).

An EDB is triggered when personal information held by an organisation is subject to unauthorised access or disclosure. In the case of information being lost somehow, an EDB occurs when unauthorised access or disclosure is likely to happen.

The other condition for an EDB triggering is that a reasonable person would conclude the access or disclosure would likely result in serious harm to individuals to which the information relates.

The NDB went live in February and applies to all Australian government agencies and organisations with an annual turnover of more $3 million.

The NDB scheme has already seen a large increase in data breach notifications.

In its Notifiable Data Breaches Quarterly Statistics Report for the period from April 1 to June 30 the OAIC received 242 data breach notifications.

This was more than double the 114 voluntary data breach notifications the OAIC received in the entire 2016-17 financial year before the NDB became effective.

In its report the OAIC found human error accounted for 36 percent of the reported breaches. The report said 59% came from malicious or criminal attacks and five percent from system errors.

As more and more breaches are exposed, consumers appear to be getting increasingly wary of having their data held by third parties.

A recent IT security survey of SMBs by HP indicated Australian consumers are often choosing to opt out of SMB data collection practices.

According to the HP Australia IT Security Study, 46% of Australian SMBs surveyed said customers are increasingly opting out of data collection and sharing.

Business owners were even more wary with 67% reporting they were uncomfortable with other businesses storing their personal data.

It appears the coming of the NDB has not sunk in with many Australian SMBs. Alarmingly, 1 in 5 of the SMBs surveyed hadn’t heard of the NDB scheme.

Diligent makes sure your data is secure

Diligent realised the importance of data sovereignty to business and government in the Australian market some time ago. In April this year Diligent switched on a local data hosting facility at a state-of-the-art campus operated by Canberra Data Centres (CDC).

Security at the CDC facility meets Australian Federal Government standards.

This includes a minimum standard for Zone 4 security. The facility is monitored 24 hours a day, 7 days a week by on-site security guards and CCTV.

Diligent’s CDC facility makes it easier for customers to demonstrate compliance with Australian privacy principles as well as industry specific data handling guidelines.

The local hosting facility also delivers a performance boost.

The improved latency for organisations with high data volumes means faster access and increased security for local clients using Diligent’s suite of governance-focused, cloud-based tools.

Download the whitepaper How Local Data Hosting Can Benefit A Range Of Organisations

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog