What’s Next for Mandatory Breach Reporting In 2021

The last significant update to the Notifiable Data Breaches scheme (NDB) came into effect 22nd February 2018. In an update to The Privacy Act 1988, it was determined that agencies and organisations with a potential data breach (e.g. a hacked database) must notify relevant individuals and the Office of the Australian Information Commissioner, if the breach is likely to result in serious harm to any individual affected. 

While no major updates have occurred to the Privacy Act And NDB scheme since, it is safe to say after the arrival of COVID and remote work in 2020, the laws and penalties around data privacy are due for an update in 2021.

What’s Next for Australia’s Privacy Laws? 

The Australian government is currently undertaking a significant review of Australia’s privacy laws following the ACCC’s ‘Digital Platforms’ inquiry and recommendation that the data protection measures be strengthened. 

Commentators suggest new changes to Australian law will build upon existing ‘tried and true’ global frameworks, such as the laws implemented in the EU (General Data Protection Regulation (GDPR)) and California (Consumer Privacy Act (CPA)). 

This certainly appears to be the case, as confirmed by NSW minister for customer service, Victor Dominello, after he stated:

“My view is we reform to our own standards here. Based on our own temperature. So we pick the best out of the GDPR, but we craft it to [Australia]. Because they’re [the EU] obviously leading. But we craft it to Australian conditions.”

Issues such as timeliness, consumer transparency, and better data maintenance practices are likely to be targeted using GDPR and CPA principles. For example, Martin Rudd, CTO of Telesoft, speculates that instead of allowing a 30-day period for firms to assess the gravity of a breach and report it, as Australia’s Privacy Act currently allows, a 72-hour notification window may instead be adopted, as is practice in the EU.

No doubt the law will be changing soon to reflect a demand for better data protection and customer trust. With this, it’s likely more companies will also be affected with an increased need to better consolidate organisational data and streamline data maintenance costs. 

Roy Hogan, Director of Qlik, believes greater transparency may be required for all types of companies, he states:

“Australia’s Privacy Act has similar principles to GDPR but small businesses (with annual turnover of AUS$3 Million or less) are generally exempt from many of its requirements. In contrast, all EU businesses (regardless of turnover) are subject to GDPR, though larger companies are expected to have more sophisticated measures in place.” 

Improvements to how businesses use and secure data may be needed in the coming months. 

If you’d like to know more information on current mandatory breach notification rules, please read our blog ‘New Notifiable Data Breaches Scheme’ or get in contact with our team for a deeper assessment. If you’re ready to future-proof your business with a data strategy or data audit service we’re ready to help, no matter what new data privacy compliance laws emerge next year. 

Please contact us and we’ll be ready to help.