Changes to the Data Protection Act: What it means for your business

17 March 2023

The Data Protection Act is undergoing several changes. With an increasing number of data breaches, concerns are growing from the Australian public about the safety of their personal information.

The government’s proposed changes to the Privacy Act are aimed at strengthening the protection of personal information and increasing the transparency and accountability of businesses and government agencies that handle personal data. Some of the key changes being considered include:

  • Increased penalties: The government proposed to increase the maximum penalties for privacy breaches, with fines of up to $2.5 million for an individual, or for an organisation, $50 million or 30% of adjusted turnover during the breach period, whichever is greater.

  • New notification requirements: Businesses and government agencies would be required to notify individuals if their personal information has been accessed or disclosed without authorisation, and to report serious data breaches to the Privacy Commissioner.

  • Right to delete personal information: Individuals would be given the right to request that their personal information be deleted by businesses or government agencies, subject to certain exceptions.

  • Increased powers for the Privacy Commissioner: The Privacy Commissioner would be given new powers to issue fines and enforce compliance with the Privacy Act, as well as conduct investigations and audits of businesses and government agencies.

The 2022 McGrathNicol ransomware survey found that 69% of Australian businesses have experienced a ransomware attack in the past five years. Our Incident Response teams regularly see the damage caused by data breaches, where companies have fallen victim to an attack. Changes to the Privacy Act will mean businesses need to consider information security more seriously and ensure they comply to minimise the risk of being subject to penalties.

Key business concerns

With an increasing amount of personal and sensitive information being collected by businesses, data privacy and security have become a major concern. Companies are required to comply with the Australian Privacy Act and the Notifiable Data Breaches (NDB) scheme, meaning they must implement measures to protect data and notify individuals and the authorities in the event of a data breach.

Companies need to ensure that they have effective data governance practices in place, including data quality management, data lineage and data ownership. This helps to ensure that data is accurate, reliable, and can be trusted for decision-making purposes. However, this can be complex and difficult to routinely manage and can be resource intensive for small businesses.

There are a range of regulations and standards that businesses can utilise when it comes to data, including the Privacy Act, the Australian Cyber Security Centre’s Essential Eight, and the General Data Protection Regulation (GDPR) for companies with customers that are in Europe. Failure to comply with GDPR regulations can result in severe fines and reputational damage.

As more businesses rely on data analytics to drive decision-making, there is a growing need for skilled data analysts and data scientists who can extract insights from large datasets. Companies need to invest in the necessary tools and technologies to enable effective data analytics.

In some industries, such as healthcare and finance, data sharing is necessary to provide better services and outcomes for customers. However, there are concerns around data privacy and security when sharing sensitive information. Companies need to ensure that they have appropriate agreements and protocols in place to govern data sharing.

What can businesses do?

Businesses need to start reviewing the data they have, identify what needs to be retained and what controls need to be in place to protect it. They must focus on identifying:

  • the data types in use and the purpose

  • where it is located

  • how data is collected, processed, stored

  • the volume of data

  • who can access it and how it is shared, internally and externally

  • the privacy risks associated with the data processing activity

  • measures to mitigate risks.

Following identification, businesses should gain consent from data subjects, data processors, data controllers and other relevant parties to determine further privacy risks and apply security controls to protect data.