This article was originally published on The Australian
Digital privacy is top of mind for many Australians. With weekly data breach scandals, individuals are becoming more aware and concerned about who has their data, and more importantly, who controls how that information is gathered, used and shared.
Governments around the world are struggling with modern challenges of data protection and placing the right regulatory standards to enable organisations to protect their assets and stakeholders more effectively against the rising tide of cyber threats.
In Australia, the introduction of the Notifiable Data Breach (NDB) was celebrated as a step in the right direction. While many people questioned whether the legislation would be robust enough to ensure compliance, it seemed to be purposefully crafted to be soft to see what the effect was on business.
In the first six weeks of the country’s NDB scheme, more than 63 data breaches have been reported to the Office of the Australian Information Commissioner (OAIC). For the public, this might seem like a high number, especially in such a short time, but we should be prepared to see the number continue to grow.
On May 25, the EU will introduce a privacy law that restricts how personal data is collected and handled. The General Data Protection Regulation focuses on ensuring that users understand and consent to the data collected about them. The GDPR has an emphasis on consent, control, and clear explanations of user data, and everyone is accountable.
It is largely recognised as one of the most sweeping regulatory changes related to data protection ever introduced at such a large scale.
Australia is a country with 24 million people and within six weeks the OAIC has had 63 reportable data breaches. It’s estimated that the EU has 511 million citizens: imagine what six weeks into the GDPR will reveal about the real levels of data breaches and loss of personal data happening globally. Additionally, GDPR applies to all businesses harnessing EU data, even if they are not based in-region, which further expands the scope of the regulation.
Although Australia was first to put the data privacy regulation in place, some key learnings can be taken from the GDPR to strengthen Australia’s approach to security.
Protection of data, especially personally identifiable data, is now more important than ever before for government and business. The GDPR is just as much a privacy regulation as it is a cybersecurity regulation, in part because of the obligation to safeguard personal data.
In the EU, the GDPR does not make a distinction on company size, turnover or type. If you handle personal data, then you are subject to the regulation. Businesses are also required to report within 72 hours if you have a breach and the EU also has the harshest fines, up to €20 million ($32m). Experts anticipate that most businesses will be challenged to meet this tight deadline.
In Australia, we have seen an attempt with the NDB to follow this global trend of breach notification versus data protection, although in a much lighter way. Only companies with more than $3m in revenue are required to report breaches and they have 30 days to do so. This leaves many small and midsized businesses out of the obligation loop, which can be problematic for a number of reasons. SMBs are generally perceived as less security mature and thus at a higher risk of suffering data loss, IP theft, and other security-related losses. As adversaries tend to focus on the weakest link, vulnerable SMBs can also pose a risk to their larger enterprise partners or suppliers.
According to a report from NAB, small to medium enterprises now contribute 57 percent of Australia’s GDP and it is estimated there are more than two million small businesses in Australia.
These businesses deal with customer data but in many cases don’t have the expertise or tools necessary to protect it. Most concerning, they have no legal incentive to ensure safeguards are in place to stop a data breach.
While the government has been specific in the rollout of the national data breach notification scheme, further developments to go down the path of a more robust legislation remain to be seen.
The OAIC report not only highlights the issue of cybersecurity and privacy, but also whether the OAIC has the resources and funding necessary to deal with the volume of reports and the advice organisations will be seeking, in particular, if they are looking for guidance on a potential breach.
The desired outcome of regulations like the data breach notification scheme is to drive better security practice and individuals and businesses are looking for guidance on how to do that.
It can be argued that Australia has not gone far enough to protect personal data when compared to the complexity of the GDPR.
The GDPR takes data protection to a new level and other markets will be watching to see the impact of the legislation in the coming months. Australians who are on top of the local regulations are now extending to GDPR in many cases and navigating the complexities that come with it.
The government and global community are thinking about the value of data and the impact of having it stolen. At the same time, consumers are demanding the right to be forgotten and to have their privacy protected.
It is not just about cancelling an account if you see suspicious activity. We need to consider the longer-term impact of an effect on individuals and the responsibility of the business to protect it.
Learn how to increase your data protection with the CrowdStrike Falcon Platform
Download the white paper: The GDPR General Data Protection Regulation and Cybersecurity