The NDB Scheme is here, so what next?

The Notifiable Data Breaches (NDB) Scheme comes into force on 22 February. Organisations who have obligations under the Privacy Act 1988 (Privacy Act) must notify individuals if they are likely to be at risk of serious harm due to their personal information being involved in a data breach.

By now organisations should have documented and tested their frameworks for managing and reporting a data breach; having a data breach response plan is a very good idea (some would say mandatory). Organisations should also be clear on how they assess potential breaches for impact and risk, so that they can report a breach from an informed position. Not having all of the answers will make maintaining customer trust and minimising the impact difficult.

So now that we have done all of the hard work, what happens next? From here, it is about maintaining the momentum and being prepared for the moment when it arrives.

Over the past few years organisations have been focused on reducing the risk of a data breach occurring and of course that it is entirely appropriate. Prevention is one part of the cure. However, it is important that management recognise that while robust controls may have been implemented in preparation to minimise the risk of a data breach occurring, there is always a chance that your data will be compromised. It is essential that an approach of “not if but when” is adopted.

The number of data breaches occurring is increasing globally, both through external cyber-attacks, but just as commonly as a result of human error or internal misconduct. Those organisations that weather a data breach relatively unscathed, that is with minimal reputational damage and financial loss, are those that have acted quickly in an ordered and controlled manner to understand the extent of the data breach and the impact on their customers. They have then implemented measures to contain the breach, remediate as required and have executed appropriate communications to those parties impacted. This includes engaging early with the regulator. A poor and slow response to a data breach may not only cause a compliance breach risk with respect to the Privacy Act, but opens the door for longer term ramifications to an organisation’s brand and consequential financial loss.

For those organisations who haven’t as yet developed and tested the data breach response plan, it is not too late. For those that have invested and prepared, it is now about being attuned to know when to call your work into action and then being prepared to learn from the process so that you can continue to refine and educate.