Hit enter to search or ESC to close
12 January 2021
Privacy breach response plan: is your business prepared?
The biggest change of the Privacy Act 2020, which came into effect on 1 December 2020, was the requirement for businesses to notify the Privacy Commissioner of a privacy breach.
Adopting a privacy breach response plan and holistic privacy management framework, can help ensure businesses are prepared to meet these new obligations.
While every business is different, there are some common steps owners and managers can take to reduce the risk of non-compliance, and their exposure to compensation claims.
Privacy breach response plan
Prepare, implement, and test a response plan. This should cover notification obligations under the Privacy Act as well as any other notification steps that may be relevant to your business. Ensure a copy of the plan can be accessed remotely even when systems are locked down following a breach.
Privacy review
Carry out a privacy review (or ‘privacy health check’) to make sure you understand the full life cycle of information within your business, and your privacy practices are up to date.
Supplier and customer contracts
Review your supplier and customer contracts to ensure appropriate provisions are incorporated to reflect the new breach notification obligations. Consider the impact on other provisions, including force majeure, liability, data sovereignty, confidentiality, announcements, and disaster recovery.
Governance
Consider whether your data strategy delivers on your purpose and is consistent with your business values. Does it identify your strengths, weaknesses, and maturity level regarding data?
Privacy statement
Ensure your privacy statements are up to date, and accurately and transparently reflect your collection, use and disclosure of personal information.
Policies and procedures
Update your internal policies and procedures (eg. privacy policies, IT security policies) to support your data strategy and privacy management framework.
Training
Provide regular training to make sure your staff are aware of the policies and procedures in place, and understand their obligations.
Security
It is important your privacy framework is integrated across teams to ensure appropriate security measures (including access controls) are in place to prevent and minimise the risks of a privacy breach.
Retention
Make sure you have a clear record-keeping and document destruction process in place to ensure the information you hold is up to date and securely destroyed when no longer required.
Preserving confidentiality
There is a risk that a privacy breach could lead to legal and regulatory claims. You should ensure your processes for responding to, investigating, and reviewing a breach take legal privilege into account.
Insurance
Review insurance policies to ensure these are appropriate to your business and the risks associated with a privacy breach.