12/06/2018

AU Notifiable Data Breach and EU General Data Protection Regulation

Australian Notifiable Data Breach (AU NDB)

  • Law since 22 February 2018.
  • Under Part IIIC of the Privacy Act 1988 (Privacy Act).

What should you be considering?

1. Understand where you process personal information

  • Do you know what Personal Identification Information (PII) you collect?
  • If you don’t’ know, do you think it is protected?

2. Understand the full life-cycle of personal information

  • Where does it come from?
  • Who can access it and when?
  • Where is it stored and why?
  • Where is it sent and on who’s infrastructure?
  • How long do you need to store it and why?

3. Can you Anticipate an incident

  • Have you conducted a risk assessment to identify how you process personal information?
  • Do you have layered technical detection mechanisms in place?
  • Are mechanisms automated and monitored?

4. Can you Prevent an incident

  • Assess the effectiveness of your security controls.
  • Do you obtain 3rd party assurance that they are adequate?
  • Do you formally test controls periodically?

5. Can you Respond to an incident

  • Do you have a documented incident response plan to help with an event such as a breach, Denial of Service or ransomware attack?
  • When was the last time it was tested or updated?

6. Assess your ability to maintain services

  • Do you have a Business Continuity plan?
  • Have you tested your strategies?
  • Are all staff and service providers aware of their roles and responsibilities?

7. Inform others

  • Do all staff understand the requirements and how your business relies on service providers and vendor?
  • Have service providers and vendors contracts been updated to reflect responsibilities?

8. Know your key contacts

  • Identify (before an incident) who you will call to help.
  • What specific skills will you need?
  • Do staff know who to contact and what incidents need to be reported?

9. Document your communications strategy

  • Who is responsible?
  • Who do you tell and when?
  • What do you tell them and how?
  • What is considered to be a reportable incident?

10. Assess your ability to Recover

  • Do you have secure system and data backups?
  • Do critical service providers have secure backups?
  • Are backups offline and regular recovery testing performed?
  • Have you documented and tested your IT Disaster Recovery capabilities?

AU NDB requirements https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

CyberOps is here to help. We can assist you in identifying your Personal Identifying Information, establishing policies/procedures and test your systems to comply with the AU DBN and EU GDPR requirements.

 

European Union General Data Protection Regulation (EU GDPR)

  • General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
  • Law since 25 May 2018.
  • One set of rules for all companies.
  • Affects Australian businesses holding Personal Identifying Information of EU residents.
  • EU GDPR is more comprehensive than the AU NDB.

Key areas for considerations areas include:

1. Establish Data Protection and Privacy (DPP) Governance Framework 24. Manage Controllers and Processors
2. Maintain Processing Register 25. Manage Sub-processing
3. Maintain Binding Corporate Rules (BCRs) 26. Maintain Processing Agreements
4. Maintain Rules for Consent 27. Manage Supply Chain Impact
5. Maintain Rules for Data Subject Requests 28. Maintain Supply Chain Controls
6. Maintain Rules for Managing Complaints 29. Manage Notification
7. Ensure Impartial Oversight 30. Manage Data Subject Communications
8. Manage Data Life Cycle 31. Perform Incident and Crisis Management
9. Conduct Personal Data Identification 32. Manage Evidence and Claims
10. Maintain Data Classification 33. Maintain Enterprise wide Awareness
11. Maintain Personal Data Register 34. Manage Skills and Education
12. Manage Special Categories Data 35. Manage Training
13. Manage Erasure (Right to be Forgotten) 36. Maintain Data Protection Officer (DPO) Function
14. Conduct Risk Evaluation 37. Manage Budget and Resources
15. Conduct Data Protection Impact Assessment (DPIA) 38. Manage Organisational Interfaces
16. Manage Risk Treatment 39. Manage Reporting
17. Conduct Risk Validation 40. Manage External Services
18. Manage Anonymisation and Pseudonymisation 41. Maintain Data Acquisition Controls
19. Manage Encryption 42. Maintain Processing Controls
20. Manage Protection Levels 43. Maintain Storage Controls.
21. Manage Resilience 44. Maintain Deletion Controls
22. Manage Access 45. Maintain Monitoring Controls
23. Manage Testing and Assessment 46. Conduct Independent Review


GDPR Requirements
https://www.eugdpr.org/

CyberOps is here to help. We can assist you in identifying your Personal Identifying Information, establishing policies/procedures and test your systems to comply with the AU DBN and EU GDPR requirements.