Menu
Menu
CIO upfront: The privacy whirlwind, keeping up with compliance

CIO upfront: The privacy whirlwind, keeping up with compliance

New Zealand is poised to pass new legislation that sets the framework for the disclosure of data breaches to the public. Brian Fletcher of Symantec reflects on what this means for your organisation.

With strong encryption, all you are handing criminals is an empty wallet

Brian Fletcher, Symantec

Here are two things to think about.

One. New Zealand is poised to pass new legislation that sets the framework for the disclosure of data breaches to the public.

Two. You may already require compliance with the European Union’s General Data Protection Regulation (GDPR).

Justice Minister Amy Adams is expected to draft the new mandatory notification bill this year. Breach notification laws are coming. Even our Australia neighbors passed mandatory data breach reporting legislation this February. 

Now consider what that means. Very soon your company may be compelled to tell its customers ‘we’ve lost, and potentially mishandled, your information’. You’ll also be required to do so within the frameworks of both the GDPR and whatever laws Parliament passes, or face significant fines.

Other nations, including Australia, are taking action and finding ways to work inside these new rules and regulations.

Australia's Privacy Amendment, compared to the GDPR, applies a much narrower idea of personal data and only applies to the federal government, large companies and companies holding health data. It also has much smaller penalties for non-compliance, but New Zealand won’t just adopt their legislation - privacy ideas are strongly rooted in local culture. New Zealand will need to find its own path along with the companies that operate here.

New Zealand will also need to keep pace. Organisations in GDPR jurisdictions with mandatory reporting (generally) have more mature approaches to privacy compliance and deal with privacy issues better.

GDPR issues are complex, and EU based companies that are already dealing with concepts such as the ‘right to be forgotten’, ‘right of access’ and ‘right of correction’ are more advanced in their breach preparations compared to the rest of the world. When information is lost or stolen, they handle it better.

Companies that are managing new privacy and compliance issues best have adopted data governance and privacy by design as fundamental principles for operations. These companies literally build privacy into the default settings.

Data governance requires organisations to look at their entire holdings through a lifecycle lens and apply governance to the collection, processing, retention and management of data. This ensures that potential issues are mitigated, such as only collecting data that is needed and with appropriate consent, and the processes are baked in from the very beginning.

New Zealand is on the right path, and the government is setting a fast pace. Many New Zealand companies are already taking compliance steps, but the ones that aren’t risk falling behind and facing financial penalties.

Here are some top tips to help mitigate risk and comply with local and global legislations as they come into effect:

  • Document what personal data you hold and where it is – If you know what data you have you can better determine what parts of your business need to comply with the GDPR or whether the GDPR will apply to you at all.

  • Understand and treat your big data privacy and security risks first – It’s tempting to get easy runs on the board, but best practice is to determine which are the biggest risks and treat them first.

  • Apply appropriate technology, business processes and people strategies to achieve compliance – adherence to the GDPR requires technology, processes and people working together in order to be truly successful.

  • Only collect data that is necessary for the business – not only is it good privacy practice, it means less to protect

  • Encrypt data wherever possible – with strong encryption, all you are handing criminals is an empty wallet

  • Ensure systems are kept up to date and patched – it is essential to keep security software, systems and applications updated

  • Reduce access to private information – only those with legitimate business requirements to sensitive data need access to it

  • If you have concerns, get professional advice – contact a reputable security professional and work with them for a security risk assessment.

'Very soon your company may be compelled to tell its customers ‘we’ve lost, and potentially mishandled, your information’. You’ll also be required to do so within the frameworks of both the GDPR and whatever laws Parliament passes, or face significant fines.'
'Very soon your company may be compelled to tell its customers ‘we’ve lost, and potentially mishandled, your information’. You’ll also be required to do so within the frameworks of both the GDPR and whatever laws Parliament passes, or face significant fines.'

 Brian Fletcher is director of government affairs, Symantec APJ.

Send news tips and comments to divina_paredes@idg.co.nz

Follow CIO New Zealand on Twitter:@cio_nz

Join us on Facebook.


 

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO New Zealand newsletter!

Error: Please check your email address.

Tags cybersecurityGDPRmandatory breachesGDPR (General Data Protection Regulation)Data managementdata governance

More about AustraliaEUFacebookSymantecTwitterUnion

Show Comments