Data Privacy Issues and Challenges for Organisations in Australia and NZ

It’s Data Privacy Week, and while you should be vigilant about your data every day – let’s have a quick recap of what you should be doing to protect your own, and your company’s data.

Data privacy has become a major concern for businesses across the globe, recent breaches have left over 12 million Australians and around 33% of New Zealanders confused as to what to do about their information being stolen. Companies must be aware of the data privacy laws that govern their industry as well as federal guidelines and take steps to ensure that customer data is secure. Let’s discuss some common data privacy issues that companies in Australia and NZ face, as well as the steps they can take to protect their customers’ data. To access our Data Privacy Week resources, click here.

Data Protection Laws in Australia

Australia has 13 principles (APPs) or The Australian Privacy Principles, governing the collection and use of personal information by companies. They set out the obligations organisations have regarding how they collect, store, use, disclose and dispose of personal information. These principles apply to all organisations that are regulated by the federal Privacy Act 1988. Under these principles, organisations are required to have appropriate measures in place to protect personal information from misuse or loss.  

The Australian Government also introduced mandatory data breach notification laws that took effect from February 2018. These require entities or organisations that have an existing obligation under the Privacy Act to report certain types of security incidents involving customers’ personal information within 72 hours of detection. This law applies to all organisations with an annual turnover of more than $3 million and any entities directly related to them.  

Data Protection Laws in New Zealand

The Privacy Act 2020 in New Zealand is a set of rules to protect the personal information of individuals, placing the responsibility on agencies and organisations about how they collect, store and use that information. As part of the act, people have a right to request what information a business has recorded about them, and the right to correction and in some cases, deletion of that data.

Some of the changes to the new Act include the mandatory reporting of breaches if personal information is lost, stolen or accessed without permission. Failure to meet this obligation means the Privacy Commissioner can compel that business (Which can reside or operate within or outside of NZ under the Act) to comply.

Securing Your Data

Organisations should implement a comprehensive security strategy that covers all aspects of their business activities including physical security, network security and user access control measures. This includes having strong passwords on all devices used to access customer data; encrypting sensitive customer data; regularly scanning networks for vulnerabilities; monitoring user activity on networks; and ensuring users only have access to the systems they need for their job role. It is also important to provide staff with training on how to identify cyber threats such as phishing emails and malicious software so they can protect themselves from being targeted by attackers.    

A best practice procedure is to ensure you have up-to-date backups of all customer data so it can be recovered quickly if there is a loss or breach, this is also good for comparing data as some data breaches simply change the stored data instead of stealing it, which can create problems with accuracy. Ensure to have backups are not connected to networks that could be otherwise compromised, as some attackers may wait until their malicious code is also backed up before deploying their attack.

Finally, regular risk assessments should be conducted by an internal or external cyber security team so that potential risks can be identified and addressed before they become problems.

What You Can Do

On a personal level there are some things you can do yourself in order help keep your personal and professional online presence secure

• Use strong passwords or passphrases - the more times a password is used, the weaker it becomes.
• Use Multi-Factor Authentication wherever possible.
• Avoid using public Wi-Fi networks when accessing sensitive information.
• Never share your passwords with anyone else or leave them written down near your machine.
• Install anti-virus software on all devices used for accessing online accounts.
• Report and delete emails from suspect senders without opening them.
• Never click on links or attachments sent via email unless you absolutely know who sent them.
• Only download applications from reputable sources like Google Play or App Store
• Log out immediately after using any online service or website, especially on shared networks or devices.

From an organisational level, keeping your company data secure means having a robust network security and monitoring system in place, as well as a business recovery plan should things go wrong, these methods involve cross department collaboration, so getting the whole organisation on board is vital to ensure successful incident response management.

It’s important to assess your cyber risk profile to understand where your organisation is on the journey of data privacy, so that you can accurately formulate your plan to be better protected and prepared. Knowing what is likely, what the impact is from a customer and business perspective and what you’ll do about it, means you can then take proactive steps to prevent it from happening, or reducing the impact if it does.

Educating your employees is the next step – the human factor is the weakest point in any cyber security or data privacy plan.

Protecting your organisation will be more effective if all employees – from the executive level down to the casual staff, are aware of what the expected cyber-controls of their role are, including what to look out for and how to react, what to do should they recognise a breach, how to report a phishing attempt or issues with the network.

Once you have a plan in place, have educated your staff (and yourself) it’s time to test your system. Regular security testing and auditing of data will make sure your IT and security staff are aware of any vulnerabilities in the system, so they can make it more robust.

In conclusion, data privacy is a significant challenge for companies due to several factors. First, the increasing amount of personal data being collected and stored by companies makes it difficult for them to adequately protect that information from breaches and unauthorised access. Additionally, there are a variety of laws and regulations in place that govern how companies can collect, use, and disclose personal data, and noncompliance can result in costly fines and legal penalties. Furthermore, as consumers become more aware of the ways in which their data is being used, they are increasingly demanding greater transparency and control over their personal information. Overall companies need to be proactive in addressing data privacy issues in order to maintain customer trust, comply with legal requirements and prevent data breaches.  

Contact us now and request a demo of our cyber security awareness training platform and start the year off knowing your organisation has support for your cyber security awareness training needs.

We've created a Data Privacy Week toolkit for you and your organisation, this includes:

• An email template for employees
• Cyber hygiene checklist
• 5 ways to help employees be data privacy aware tip sheet
• 3 conversations you should be having about data tip sheet

Download our Data Privacy Week resources here.

‍

‍