Australian Notifiable Data Breach (AU NDB)
- Law since 22 February 2018.
- Under Part IIIC of the Privacy Act 1988 (Privacy Act).
What should you be considering?
1. Understand where you process personal information
- Do you know what Personal Identification Information (PII) you collect?
- If you don’t’ know, do you think it is protected?
2. Understand the full life-cycle of personal information
- Where does it come from?
- Who can access it and when?
- Where is it stored and why?
- Where is it sent and on who’s infrastructure?
- How long do you need to store it and why?
3. Can you Anticipate an incident
- Have you conducted a risk assessment to identify how you process personal information?
- Do you have layered technical detection mechanisms in place?
- Are mechanisms automated and monitored?
4. Can you Prevent an incident
- Assess the effectiveness of your security controls.
- Do you obtain 3rd party assurance that they are adequate?
- Do you formally test controls periodically?
5. Can you Respond to an incident
- Do you have a documented incident response plan to help with an event such as a breach, Denial of Service or ransomware attack?
- When was the last time it was tested or updated?
6. Assess your ability to maintain services
- Do you have a Business Continuity plan?
- Have you tested your strategies?
- Are all staff and service providers aware of their roles and responsibilities?
7. Inform others
- Do all staff understand the requirements and how your business relies on service providers and vendor?
- Have service providers and vendors contracts been updated to reflect responsibilities?
8. Know your key contacts
- Identify (before an incident) who you will call to help.
- What specific skills will you need?
- Do staff know who to contact and what incidents need to be reported?
9. Document your communications strategy
- Who is responsible?
- Who do you tell and when?
- What do you tell them and how?
- What is considered to be a reportable incident?
10. Assess your ability to Recover
- Do you have secure system and data backups?
- Do critical service providers have secure backups?
- Are backups offline and regular recovery testing performed?
- Have you documented and tested your IT Disaster Recovery capabilities?
AU NDB requirements https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
CyberOps is here to help. We can assist you in identifying your Personal Identifying Information, establishing policies/procedures and test your systems to comply with the AU DBN and EU GDPR requirements.
European Union General Data Protection Regulation (EU GDPR)
- General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
- Law since 25 May 2018.
- One set of rules for all companies.
- Affects Australian businesses holding Personal Identifying Information of EU residents.
- EU GDPR is more comprehensive than the AU NDB.
Key areas for considerations areas include:
1. Establish Data Protection and Privacy (DPP) Governance Framework | 24. Manage Controllers and Processors |
2. Maintain Processing Register | 25. Manage Sub-processing |
3. Maintain Binding Corporate Rules (BCRs) | 26. Maintain Processing Agreements |
4. Maintain Rules for Consent | 27. Manage Supply Chain Impact |
5. Maintain Rules for Data Subject Requests | 28. Maintain Supply Chain Controls |
6. Maintain Rules for Managing Complaints | 29. Manage Notification |
7. Ensure Impartial Oversight | 30. Manage Data Subject Communications |
8. Manage Data Life Cycle | 31. Perform Incident and Crisis Management |
9. Conduct Personal Data Identification | 32. Manage Evidence and Claims |
10. Maintain Data Classification | 33. Maintain Enterprise wide Awareness |
11. Maintain Personal Data Register | 34. Manage Skills and Education |
12. Manage Special Categories Data | 35. Manage Training |
13. Manage Erasure (Right to be Forgotten) | 36. Maintain Data Protection Officer (DPO) Function |
14. Conduct Risk Evaluation | 37. Manage Budget and Resources |
15. Conduct Data Protection Impact Assessment (DPIA) | 38. Manage Organisational Interfaces |
16. Manage Risk Treatment | 39. Manage Reporting |
17. Conduct Risk Validation | 40. Manage External Services |
18. Manage Anonymisation and Pseudonymisation | 41. Maintain Data Acquisition Controls |
19. Manage Encryption | 42. Maintain Processing Controls |
20. Manage Protection Levels | 43. Maintain Storage Controls. |
21. Manage Resilience | 44. Maintain Deletion Controls |
22. Manage Access | 45. Maintain Monitoring Controls |
23. Manage Testing and Assessment | 46. Conduct Independent Review |
GDPR Requirements https://www.eugdpr.org/
CyberOps is here to help. We can assist you in identifying your Personal Identifying Information, establishing policies/procedures and test your systems to comply with the AU DBN and EU GDPR requirements.