Australian Notifiable Data Breach (AU NDB)

Law since 22 February 2018.
Under Part IIIC of the Privacy Act 1988 (Privacy Act).

What should you be considering?

1. Understand where you process personal information

Do you know what Personal Identification Information (PII) you collect?
If you don’t’ know, do you think it is protected?

2. Understand the full life-cycle of personal information

Where does it come from?
Who can access it and when?
Where is it stored and why?
Where is it sent and on who’s infrastructure?
How long do you need to store it and why?

3. Can you Anticipate an incident

Have you conducted a risk assessment to identify how you process personal information?
Do you have layered technical detection mechanisms in place?
Are mechanisms automated and monitored?

4. Can you Prevent an incident

Assess the effectiveness of your security controls.
Do you obtain 3rd party assurance that they are adequate?
Do you formally test controls periodically?

5. Can you Respond to an incident

Do you have a documented incident response plan to help with an event such as a breach, Denial of Service or ransomware attack?
When was the last time it was tested or updated?

6. Assess your ability to maintain services

Do you have a Business Continuity plan?
Have you tested your strategies?
Are all staff and service providers aware of their roles and responsibilities?

7. Inform others

Do all staff understand the requirements and how your business relies on service providers and vendor?
Have service providers and vendors contracts been updated to reflect responsibilities?

8. Know your key contacts

Identify (before an incident) who you will call to help.
What specific skills will you need?
Do staff know who to contact and what incidents need to be reported?

9. Document your communications strategy

Who is responsible?
Who do you tell and when?
What do you tell them and how?
What is considered to be a reportable incident?

10. Assess your ability to Recover

Do you have secure system and data backups?
Do critical service providers have secure backups?
Are backups offline and regular recovery testing performed?
Have you documented and tested your IT Disaster Recovery capabilities?

AU NDB requirements https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

CyberOps is here to help. We can assist you in identifying your Personal Identifying Information, establishing policies/procedures and test your systems to comply with the AU DBN and EU GDPR requirements.

European Union General Data Protection Regulation (EU GDPR)

General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Law since 25 May 2018.
One set of rules for all companies.
Affects Australian businesses holding Personal Identifying Information of EU residents.
EU GDPR is more comprehensive than the AU NDB.

Key areas for considerations areas include:

1. Establish Data Protection and Privacy (DPP) Governance Framework	24. Manage Controllers and Processors
2. Maintain Processing Register	25. Manage Sub-processing
3. Maintain Binding Corporate Rules (BCRs)	26. Maintain Processing Agreements
4. Maintain Rules for Consent	27. Manage Supply Chain Impact
5. Maintain Rules for Data Subject Requests	28. Maintain Supply Chain Controls
6. Maintain Rules for Managing Complaints	29. Manage Notification
7. Ensure Impartial Oversight	30. Manage Data Subject Communications
8. Manage Data Life Cycle	31. Perform Incident and Crisis Management
9. Conduct Personal Data Identification	32. Manage Evidence and Claims
10. Maintain Data Classification	33. Maintain Enterprise wide Awareness
11. Maintain Personal Data Register	34. Manage Skills and Education
12. Manage Special Categories Data	35. Manage Training
13. Manage Erasure (Right to be Forgotten)	36. Maintain Data Protection Officer (DPO) Function
14. Conduct Risk Evaluation	37. Manage Budget and Resources
15. Conduct Data Protection Impact Assessment (DPIA)	38. Manage Organisational Interfaces
16. Manage Risk Treatment	39. Manage Reporting
17. Conduct Risk Validation	40. Manage External Services
18. Manage Anonymisation and Pseudonymisation	41. Maintain Data Acquisition Controls
19. Manage Encryption	42. Maintain Processing Controls
20. Manage Protection Levels	43. Maintain Storage Controls.
21. Manage Resilience	44. Maintain Deletion Controls
22. Manage Access	45. Maintain Monitoring Controls
23. Manage Testing and Assessment	46. Conduct Independent Review

GDPR Requirements https://www.eugdpr.org/