Understanding your organisations data
01 February 2023
The cyber threat landscape is rapidly evolving. Minister for Cyber Security, Clare O’Neil, has warned that Australia faces a raft of national security challenges in coming years, including relentless cyberattacks. In the wake of recent high-profile data breaches, privacy is now front and centre, and cyber is a national security priority.
Regulators have been quick to respond. Massive new penalties for breaching the Privacy Act have been passed, which will further compound the often devastating impact of a cyberattack. Organisations need to actively prepare, and key to this is reviewing and assessing their data risk management practices and procedures.
In many cases, organisations are required to collect and retain data to comply with their legal obligations, but they must also keep that data secure.
In responding to the raft of recent high-profile data breaches, the Australian Government has now passed legislation to introduce significant new penalties for serious or repeated privacy breaches. Maximum penalties may now reach whichever is the greater of A$50,000,000, three times the benefit of a contravention, or (where the benefit can't be determined) 30 per cent of domestic turnover. Changes to the Security of Critical Infrastructure Act in 2021 and 2022 bring comprehensive cyber risk management and notification obligations to critical infrastructure sectors. In 2023, the Attorney General is also reviewing modernisations of the Privacy Act, including a right for individuals to sue entities directly for privacy breaches and a right of erasure, also known as the 'right to be forgotten'.
Organisations need to better understand the data that they hold and collect. They need to be actively considering when and why they are collecting personal or sensitive data, and be confident that collection of that data is in fact necessary. Organisations should also proactively assess how long data needs to be retained to ensure that data is not being held unnecessarily. Processes should be put in place to ensure any data that no longer needs to be held is destroyed, or at least de-identified.
And if the worst comes to the worst, it is critical that an organisation can quickly and effectively respond in the event of a cyber incident or data breach (or both). Key to an effective response is the ability to immediately assess the scope of any data breach that might have occurred. The organisation needs a clear understanding of what personal or sensitive data has been collected, and where it is stored. It sounds simple, but in most cases it is not.
Undertaking a data risk review and developing a data governance framework are together the most effective way to ensure that an organisation is not only complying with its regulatory obligations, but is also well positioned to respond in the unfortunate event of a cyber incident or data breach.
Organisations should review and standardise their data definitions, create data registers and inventories, and identify and operationalise data assets and data asset owners.
Any personal or sensitive information held by the organisation must be included in the governance framework. Data asset owners should be assigned for all personal data, sensitive data and highly sensitive data.
A strong data governance framework should include the following elements:
By including these elements, a strong data governance framework can help an organisation to protect its data assets and ensure compliance with relevant laws and regulations.
Organisations should record and visually map their data flows from the source of capture to the point of consumption.
This includes capturing all data from both structured and unstructured data sources, and documenting how that data has been transformed and why, while ensuring that technical transformations are accurate and align with their associated business rules.
Most organisations do not have a holistic understanding of the data held by the organisation. Where does it reside? Does it contain any sensitive information?
Companies should record the purpose of processing the data; capture and manage customer consent; and ensure there is a lawful basis for the processing of all personal data across the organisation. Additionally, organisations will need to review and uplift their data retention standards and demonstrate compliance with the regulatory requirements.
Without the right controls, processes and policies, data issues often go unnoticed until a material breach occurs. It is extremely important that organisations identify data risks across the organisation, assess the existing controls, identify control gaps, test the effectiveness of controls and periodically review the residual risk. Companies should also focus on standardising and rationalising the control environment in order to reduce the residual risk levels.
Understanding your organisation's data is key to mitigating cyber and data risk. The most effective way to approach this often complex exercise is to undertake a comprehensive review of the organisation's data, and then develop and implement a data governance framework.
The heightened level of cyber risk, together with the increased regulatory focus on privacy and significant new penalties in force for privacy breaches, means organisations should begin to prepare now.
Authors: Matthew Worsfold (Partner, Risk Advisory), Bikram Choudhury (Director, Risk Advisory), Philip Hardy (Partner, Risk Advisory), Geoff McGrath (Senior Associate, Digital Economy Transactions) and Renée Green (Expertise Counsel, Cyber and Data Risk).
Backed by Ashurst’s data, risk and legal subject matter experts, Ashurst Risk Advisory provides end-to-end data risk management solutions that enable clear and demonstrable compliance with regulatory obligations, working towards effective risk monitoring and management of data risks.
We pair our data experts with deep risk domain knowledge and legal experts to design and implement data risk management frameworks using a curated methodology that leverages a range of industry standards and frameworks relevant to your organisation and industry.
This publication has been jointly published by Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.