Digital Economy and Risk Alert Understanding Your Organisations Data
01 February 2023
01 February 2023
The cyber threat landscape is rapidly evolving. Minister for Cyber Security, Clare O’Neil, has warned that Australia faces a raft of national security challenges in coming years, including relentless cyberattacks. In the wake of recent high-profile data breaches, privacy is now front and centre, and cyber is a national security priority.
Regulators have been quick to respond.Massive new penaltiesfor breaching thePrivacy Acthave been passed, which will further compound the often devastating impact of a cyberattack. Organisations need to actively prepare, and key to this is reviewing and assessing their data risk management practices and procedures.
In many cases, organisations are required to collect and retain data to comply with their legal obligations, but they must also keep that data secure.
在应对最近的一系列引人注目的data breaches, the Australian Government has now passed legislation to introduce significant new penalties for serious or repeated privacy breaches. Maximum penalties may now reach whichever is the greater of A$50,000,000, three times the benefit of a contravention, or (where the benefit can't be determined) 30 per cent of domestic turnover. Changes to theSecurity of Critical Infrastructure Actin 2021 and 2022 bring comprehensive cyber risk management and notification obligations to critical infrastructure sectors. In 2023, the Attorney General is also reviewing modernisations of thePrivacy Act, including a right for individuals to sue entities directly for privacy breaches and a right of erasure, also known as the 'right to be forgotten'.
Organisations need to better understand the data that they hold and collect. They need to be actively considering when and why they are collecting personal or sensitive data, and be confident that collection of that data is in fact necessary. Organisations should also proactively assess how long data needs to be retained to ensure that data is not being held unnecessarily. Processes should be put in place to ensure any data that no longer needs to be held is destroyed, or at least de-identified.
And if the worst comes to the worst, it is critical that an organisation can quickly and effectively respond in the event of a cyber incident or data breach (or both). Key to an effective response is the ability to immediately assess the scope of any data breach that might have occurred. The organisation needs a clear understanding of what personal or sensitive data has been collected, and where it is stored. It sounds simple, but in most cases it is not.
Undertaking a data risk review and developing a data governance framework are together the most effective way to ensure that an organisation is not only complying with its regulatory obligations, but is also well positioned to respond in the unfortunate event of a cyber incident or data breach.
Any personal or sensitive information held by the organisation must be included in the governance framework. Data asset owners should be assigned for all personal data, sensitive data and highly sensitive data.
A strong data governance framework should include the following elements:
Understanding your organisation's data is key to mitigating cyber and data risk. The most effective way to approach this often complex exercise is to undertake a comprehensive review of the organisation's data, and then develop and implement a data governance framework.
The heightened level of cyber risk, together with the increased regulatory focus on privacy and significant new penalties in force for privacy breaches, means organisations should begin to prepare now.
Authors:Matthew Worsfold (Partner, Risk Advisory), Bikram Choudhury (Director, Risk Advisory), Philip Hardy (Partner, Risk Advisory), Geoff McGrath (Senior Associate, Digital Economy Transactions) and Renée Green (Expertise Counsel, Cyber and Data Risk).
Backed by Ashurst’s data, risk and legal subject matter experts, Ashurst Risk Advisory provides end-to-end data risk management solutions that enable clear and demonstrable compliance with regulatory obligations, working towards effective risk monitoring and management of data risks.
We pair our data experts with deep risk domain knowledge and legal experts to design and implement data risk management frameworks using a curated methodology that leverages a range of industry standards and frameworks relevant to your organisation and industry.
This publication has been jointly published by Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visitwww.hschangyihong.com.