Community understanding about the protection of personal information has been growing in the digital transformation era and people are gravely concerned about their privacy.

An OAIC survey found a sharp rise in the number of Australians who feel data breaches are the biggest privacy risk they face today and nine in 10 people want more to be done to protect personal information.

In the survey, only four sectors (health, federal government, finance and education) were more trusted than not by Australians to handle their personal information.

Make the call:

Why an action plan is critical 

Fewer than half of people trust organisations to only collect the information they need, use and share information as they say they will, store information securely, give individuals access to their information and delete information when no longer needed.

The Australian Government is set to strengthen legislative protections on the back of a review of the Privacy Act handed down earlier this year.

Three proposed areas of significant change have been outlined by law firm Lander & Rogers:

  • Removal of small business and employee records exemptions, which would require businesses with turnover of less than $3 million to introduce or uplift their current privacy compliance program.

  • Mandatory privacy impact assessments, which would necessitate a privacy impact assessment prior to undertaking a “high privacy risk activity”.

  • Protection of de-identified information, a change that would require entities to take reasonable steps to protect de-identified information and ensure overseas entities do not re-identify any information that has been de-identified.

Clearly, the trust that people have with how organisations handle data is fragile at best, and managing privacy issues and communicating protection measures is vitally important.

It is inevitable that trust and confidence will be shaken by a data breach but how quickly that confidence is rebuilt can come down to the communication response.

A communications plan can sometimes be forgotten or is the last piece of the puzzle in developing a risk management strategy for data breaches.

But a flawed or poorly executed plan can further compound the reputational damage, and preparedness is a critical component to handling any data breach.

No crisis communication strategy can be effective if it is developed during a crisis.

A communications plan should consider:

  • Legal, regulatory, employer, moral or ethical reporting obligations

  • Where are the data breach risks internally, and where are the risks on the supply chain?

  • Stakeholder mapping: Who will lead communication actions? Who will make the calls?

  • Risk tolerance in the organisation as well as among stakeholders and suppliers

  • Developing a culture of risk awareness

Assessing an organisation’s current response capability is the first step in preparing a plan. Consider lines of communications internally and the stakeholder segments that will need to be engaged or notified, including regulators.

An understanding about how data is accessed within the organisation and through its supply chain can identify gaps in security protocols and facilitate the development of a security culture. 

Consideration should be given to an organisation’s ability to communicate rapidly in a crisis across scenarios such as ransomware attack, privacy breach or supply chain breach, and develop a plan that includes collateral for several data breach risk scenarios.

Once you have a plan, it needs to be stress tested. Like a fire drill, communication channels can be evaluated to deliver an awareness among key staff about actions and plans assessed in a real-world environment.

An effective data breach response plan should outline a strategy for identifying, containing, assessing and managing a data breach incident.

Despite the best cybersecurity and technology efforts, data breaches are on the rise and best practice is for companies and organisations to be prepared for the worst.

Organisations must be thinking about how they will communicate with key stakeholders in the event of a breach.

Dealing with a data breach, and the fallout publicly, internally and among key stakeholders, is a highly challenging situation and it often comes with a long tail. The best practice is planning for a data breach crisis before you are in the middle of one.

Data breaches hit without warning. Being slow to act in a crisis can be as damaging as the breach itself, and business leaders should be prepared and ready to respond.