Data breach notification will become mandatory as of February 2018 for all entities required to comply with the Privacy Act 1988. Then in May, the European Union’s General Data Protection Regulation (GDPR) also comes into force. Together these new requirements demand fundamental changes to how Australian organisations handle personal information, and set the stage for some of the largest changes to privacy regulation in the last decade.
In this publication, we break down these two major changes to show what they mean for Australian organisations, and show you how KPMG can help you to prepare for their commencement.
When the Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB scheme) on 13 Feb 2017, it started a process that means from 22 February 2018 all entities covered by the Australian Privacy Principles (APPs) will have clear obligations to report eligible data breaches.
Entities will be required to take all reasonable steps to ensure an assessment is completed within 30 days. If an eligible data breach is confirmed, as soon as practicable they must provide a statement to each of the individuals whose data was breached or who are at risk, including details of the breach and recommendations of the steps individuals should take. A copy of the statement must also be provided to the Office of the Australian Information Commissioner (OAIC).
While the NDB scheme implements changes to an existing law, the GDPR introduces a whole new regulation with global implications. When it comes into force on 25 May 2018, it will, for the first time, mean that there is one uniform data protection law in place across the EU.
The GDPR applies to the processors of personal data and the controllers of the processing of personal data (the outsourcing party in an outsourced relationship, for example), for organisations that are established inside the EU – whether or not that processing actually occurs within the EU. Perhaps most importantly for Australian organisations though, the GDPR also applies to the processors and controllers outside the EU where it:
While there are many similarities between the GDPR and the Privacy Act 1988 – for example they share the goal of privacy by design and transparency, there are some key differences that Australian organisations must be aware of, such as requirements for appointing a data protection officer, and an individual’s right to be forgotten, and right to data portability.
There are also strict requirements regarding the transfer of personal data outside the EU.
KPMG’s Global Privacy Management Framework is a formalised modular framework that defines the foundation for Privacy Risk Management across an organisation. The Framework ensures a shared understanding of Privacy through clear and consistent language, and our team of over 200 privacy professionals from around the world use this Framework every day to help our clients in Australia and globally assess, design, implement and monitor their privacy programs, controls and risks.
With so much change coming in 2018, now is the time for all organisations to take stock of their current privacy programs and data breach processes to ensure that they are setup to meet these new requirements. Speak to our team about helping you prepare and be ready when the new obligations commence.