We will continue to impress upon all customers, Business Partners and staff about the importance of data security, but businesses around the world will also soon feel the effect of major changes in legislation covering data security.
For Australian business, the Notifiable Data Breaches scheme introduces compulsory reporting when a data breach has occurred. For EU businesses, the GDPR brings both proactive and disciplinary regulations. You can read more information about each below.
For Australian customers
The Australian Federal Government has sought to keep the public informed of data security issues through the passage of the Notifiable Data Breaches scheme. This change in the Privacy Act 1988 requires Australian businesses who have suffered a breach of data to report the occurrence to those affected and the Office of the Australian Information Commissioner.Breaches that must be reported are those which,
“would be likely to result in serious harm to an individual whose personal information was part of the data breach.”
This definition leaves ‘serious harm’ open for interpretation on a case by case basis - making it even more critical for businesses to take as much precaution as possible to protect data. We cannot foresee what kind of data breaches will lead to serious harm, therefore we should treat all data as extremely sensitive. However, you can find some guidance below on how to begin securing data throughout your business.
For EU customers
The General Data Protection Regulation (GDPR) has been a primary issue for EU businesses since it was approved in 2016. The deadline for enforcement - 25 May 2018 - is approaching. Businesses were given ample time and direction on how to address the need to secure data. You may have even received multiple communications from other software vendors whose products you use about changes enforced by the GDPR.This EU-wide regulation requires businesses to follow a unified set of rules for how data concerning EU citizens is collected and stored. The penalties for non-compliance are severe.
What can be done to protect data?
First, you should identify what kinds of data your business collects from customers, suppliers, or any other entities you interact with. Do you collect Tax File Numbers? Addresses and phone numbers? How about a history of customer purchases?Second, how is this data collected and stored? Is it collected via email and then entered into your database, or directly from a website form? Is your database part of a secure ERP system, or a simple spreadsheet that anyone can access?
Thirdly, who has access to this data?
And finally, how and when is data disposed of?
By mapping how data flows through your business, you are able to identify where security weaknesses need to be addressed and where potential leaks could occur.
Developing a plan for how data must be collected, managed and stored securely can take time, and may require consultation with people throughout your business. However, it is an absolute necessity as data becomes more valuable - and even more volatile.