Australia’s Notifiable Data Breaches (NDB) legislation came into effect just last month on the 22 February. However, despite the significant amount of discussion about the new laws, most Australian businesses are not aware of the new legislation.
With the European Union’s (EU) General Data Protection Regulation (GDPR) just around the corner, it’s no wonder the conversation around user data protection and notification has become complex. These pieces of legislation carry hefty fines if businesses fail to comply, so it’s worth understanding what they entail, how they’re different, and how they apply to your business in Australia.
Notifiable Data Breaches
The NDB has been brought into effect by the Australian Government, following a series of high-profile data breaches, to heighten the level of disclosure and cyber reporting that businesses must provide around the hacking and breach of personal data.
Businesses with a turnover of A$3 million or more are now legally obligated to report breaches that are likely to cause “serious harm” to both the Office of the Australian Information Commissioner as well as any of the individuals concerned. The penalty for failing to do this could result in fines of up to A$1.8 million.
While such a fine would be limited to serious or repeated offences, businesses that neglect to take the legislation seriously now could find themselves in a pickle further down the line.
The laws mean that, in practice, an organisation that reasonably suspects data has been breached should report it within 30 days of the breach occurring if it is likely to result in serious harm to the individuals affected.
“Serious harm” refers to serious physical, psychological, emotional, financial, or reputational harm. It can apply to anything from identity theft, significant financial loss by the individual, threats to an individual’s physical safety, loss of business or employment opportunities, humiliation or damage to reputation or relationships, or social bullying and marginalisation.
General Data Protection Regulation
While the GDPR is guided by similar objectives, the requirements placed on businesses are arguably more stringent. For example, harmful breaches must be reported to the data protection authority as well as affected individuals within 72 hours, as opposed to the NDB’s 30-day deadline.
Further, fines for failure to notify can be up to 2% of global turnover or €10 million, with fines for the breach itself up to 4% of global turnover or €20 million. However, unlike the NDB which applies to most businesses in Australia, GDPR is relevant to any business that stores the data of EU citizens.
Since the premise of the legislation is to protect the data of EU citizens (regardless of where they are based), liability applies to Australian-based businesses that not only sell to or operate in the EU, but those that store this data as well.
Instances where notification of a breach is necessary include where individuals could suffer a loss of control over their personal data (such as through a ransomware attack), limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy.
It can also include any other significant economic or social disadvantage to those individuals. As you’ve probably deduced, this is somewhat stricter than the NDB. For example, under the GDPR, a marketing email sent to recipients with email addresses in the ‘To’ field rather than ‘BCC’ field would need to be reported to the supervisory authority if a large number of email addresses had been disclosed.
What’s the difference?
Both pieces of legislation have provisions for notification to the data protection authority and affected individuals. They also both include guidelines that stipulate where effective encryption of consumer data can circumnavigate the need to notify the authorities (due to the data being protected).
However, there are some key differences that businesses need to be aware of.
For the most part, the NDB is not nearly as far-reaching as the GDPR. Businesses with revenue of less than A$3 million will not usually be caught by the requirements.
The GDPR, on the other hand, has a very broad scope and will even apply to Australian firms directly if they store the data of EU citizens, or offer goods or services to EU customers.
Likewise, the requirements to notify are less likely to kick in under the NDB than the GDPR. For instance, the NDB’s requirements apply “only if likely to cause serious harm”, as opposed to the GDPR’s need to notify “unless unlikely to harm”. Even the definition of a breach is wider under the GDPR, alongside potentially higher fines.
Understanding which of these pieces of legislation (if any) apply to your business is important – not only for your business’ reputation and compliance, but for your customers’ safety and privacy. With the prevalence and frequency of hacking and data breaches on the rise, hiding under a rock to avoid these requirements is not an option.
Take the time to refresh your data management and security practices so that next time you get breached, you’ll know what to do.