Data privacy and process compliance upheaval in 2018
2018’s Big Three Data Deal-Breakers
Two things you can rely on post-holiday season in Oz – Hot-cross buns hitting the supermarket shelves on Jan 2, and a stream of articles and posts telling us what our business priorities need to be for the year ahead. To be sure, lots of the big-ticket predictions are usually on-trend and valid strategic considerations for SMEs. But 2018 brings with it an increasingly urgent need for Australian SMEs to architect their way out of their digital and data disconnects and address the persistent line-of-business data and file management inefficiencies many of them face daily. Data privacy and process compliance legislation is coming!
Why is data privacy and process compliance so important in 2018?
Because there are some undeniably core-shaking data compliance changes about to hit Australian businesses in 2018 and Australian SMEs need to make data privacy and process top priority or risk exposing themselves to some hefty fines. Data management and process clean-ups can no longer be sidelined. Waiting or making do is no longer an option. Australian SMEs need to get their data management and compliance direction right ASAP in readiness for three huge tidal-wave changes set to hit in 2018.
Three reasons to get your data strategy in line for the year ahead
Notifiable Data Breach Reporting (NDB Scheme)
Under the Privacy Act 1988 (Cth), government agencies, NFPs and businesses with revenue greater than $3 million have previously had a responsibility to take reasonable steps to protect personal information (along with businesses under the $3m revenue threshold that collect, buy or sell personal or health information). But in February 13, 2017, legislation passed in the Australian Parliament setting a 12-month time-line for the establishment of a mandatory data breach notification scheme that is due to come into full effect on 22 February 2018. The big news from this point on is that entities must now notify of an eligible data breach and prove they have a response and communication plan in place for dealing with actual and suspected breaches. Penalties for failure to do so are up to $1.8 million for businesses.
Organisations have a small window left to get NDB scheme ready and:
- Undertake a comprehensive review of data security processes and procedures and address any emergent issues (prevention will always be better than a cure!); and,
- Prepare a documented data breach response plan for the organisation that will outline the priorities and procedures to ensure that they can respond to quickly, comprehensively and lawfully to actual and suspected data breaches.
Single-Touch Payroll Reporting (STPR)
If your businesses has 20 or more employees (full-time or otherwise), then as of 1 July 2018 (1 July 2019 for businesses with a sub-20 headcount), you will be required to comply with STPR. The STPR is an Australian Taxation Office big data initiative that will make real-time reporting of payroll data by businesses to the ATO mandatory. These changes have been designed to enable the ATO to better engage with taxpayers when issues arise, share payroll information between agencies, and match employee superannuation fund payments immediately.
STPR will ultimately affect ALL Australian businesses, and the time is now for Australian SMEs to:
- Start talking to accounting software providers to ensure current payroll processing procedures support STPR requirements;
- Undertake a risk review of current payroll procedures;
- Talk to your business technology provider to ensure that your HR and payroll data and process security, availability, AND visibility is robust enough to comply with real-time reporting requirements.
EU General Data Protection Regulation (GDPR) and its impact on Australian businesses
While the European Union might be half a world away, from 25 May 2018, Australian businesses no matter what size may need to comply with GDPR if they:
- Have an office in the EU;
- Operate a website that targets EU customers, e.g. by allowing them to order goods and services in a European language and/or pay in Euros, or mentions customers or users in the EU;
- Tracks EU-based individuals on the internet and uses data processing techniques to profile individuals and data analytics or other analyses to predict personal preferences, behaviours and attitudes.
Whilst the regulation has much in common with Australia’s updated Privacy Act, very notable differences include the GDPR’s inclusion of an individual’s right to erasure, data portability and right to object, and new and very specific definitions of what does and does not constitute “consent”.
Some reports indicate that as many as 90% of ANZ businesses know little or nothing about the GDPR, but the stakes are incredibly high. Non-compliance could see Australian businesses caught off-guard by potentially crippling sanctions with administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher).
There is certainly no easy one-size fits all solution to complying with GDPR, but critical steps for eligible Australian businesses are to:
- Streamline and standardise processes to ensure compliance with both the Australian Privacy Act and the GDPR, covering both the common ground and the differences;
- Examine if a GDPR-mandated data controller or privacy officer needs to be appointed to be responsible for compliance, and who that person should be;
- Revisit mechanisms, past, present and future, for gaining customer consent to collect and use personal data; including that collected through automated processes for data analytics; and,
- Ensure a common data breach plan satisfies the mandatory reporting regulations of both the Australian and EU authorities.
Many Australian businesses are either well behind where they need to be to comply with 2018’s new changes or simply remain unaware. To truly get out in front of the eight ball, at the very least, Australian businesses now need to understand and take full stock of what data they hold, where it is held, and how it is being secured.
How we can help?
We provide a consulting-led approach to your business technology strategy – making sure you’ve got the right resources in the right places. If you need advice on how to meet the challenges highlighted by the introduction of data privacy and process compliance within Australia, call us on 1300 MAXSUM or shoot us a message on [email protected] to register your interest in our upcoming data compliance workshops for SMEs.
New privacy regulations for cybersecurity are coming. In the face of this risk, a tide of regulation is sweeping across business, and a newly refreshed set of regulations mean three things for Australian business leaders. We’ve translated what they mean for SMEs into plain English.
It doesn’t have to be an either-or proposition! At an Australian Institute of Company Directors lunch earlier this year, ex-Telstra and current CSIRO head David Thodey was asked a question during Q&A about his advice for organizations balancing risk management against their need to innovate.
The Need for Speed in Digital Transformation
The Other Missing Ingredient for Successful Digital Transformation. There is no doubt that when it comes to digital transformation (Dx) – strategic alignment is king!