What did you do to celebrate Privacy Awareness Week last week? It has never been more challenging to balance privacy, data security and appropriate access to information within any business. Why is it so tough?
The theme for last week’s privacy awareness week was Privacy 101: Back to Basics. At the risk of sounding like a broken record, protecting people’s personal information, whether it is your staff, customers, or vendors, is crucial.
And now is the perfect time to brush up on the fundamentals and do a quick business audit to ensure you meet your obligations. This brings us to step 1.
1. Do you know what your legal obligations are?
The Privacy Act was introduced in 1988 to protect people’s personal data and regulate how businesses and government organisations collect, store and share data. Just like we have evolved from using fax machines and phones that plug into the wall, the Privacy Act has evolved to suit today’s modern digital age.
Organisations have a responsibility to:
If they fail in these responsibilities and suffer a data breach, they could be fined up to $50 million.
2. Ensure there is a privacy plan in place
The second fundamental step in Privacy 101 is ensuring your company has a privacy management plan. Having this plan ensures that you meet the above requirements and embed a data privacy culture within your organisation.
If you don’t already have a privacy plan, the Office of the Australian Information Commissioner (OAIC) have a template to help you build one HERE.
3. Appoint privacy champions within the team
You can’t just set and forget your responsibilities – you need to manage them on a day-to-day basis through strong privacy governance. The OAIC recommends having a senior staff member with overall accountability, staff who deal with access and enquiries daily, and regular reporting mechanisms.
4. Know the primary risks for your business
Cybersecurity is all about balance. Because any organisation has finite resources available to protect its systems and data, it is crucial to consider not only what risks exist but the likelihood and impact or consequence of a data breach. This matrix helps you to prioritise your investment in data protection.
5. Secure personal information
Some people hear about data privacy and protection and think, “Ah well, I have a firewall and anti-virus protection – I’m all good.” But guess what? That is not enough!
Data protection includes:
6. Train your staff
Now, you have your privacy policy in place, you have appointed your privacy champions, and you have your password manager in place. Unfortunately, these measures are only as effective as the staff that are implementing them. Did you know that phishers will routinely target new employees? New employees who aren’t familiar with your systems and processes and are eager to please can often be manipulated into sharing payment information, purchasing electronic gift cards, or clicking on a phony link.
The business is responsible for ensuring that team members are fully trained to recognise the signs of a spoofed email address, phishing attack, and other cybersecurity red flags.
7. Prepare for a breach
Even with all of these measures in place, there is still a chance that your company’s system will be breached. So, you need to be forearmed with a plan. We have put together a handy form that can help you to build your own data response plan in just a few easy steps: Build a Data Response Plan
8. Review regularly
Our final piece of advice is to review your plan regularly. Malicious threat actors work full-time to develop new ways to infiltrate companies and steal their data, so your privacy policies can’t just gather dust on a shelf. Instead, they need to be well-thumbed documents which are continually updated and reviewed as the business landscape changes.
For more tips and some fun data privacy quizzes, check out the 2023 Privacy Awareness Week website: https://education.oaic.gov.au/paw2023/for-business/#course-tips