Duncan Kariuki

Notifiable Data breach and GDPR Australia took its baby steps in enforcing stricter data protection way back in 1988 with the passage of the Privacy Act 1988. It would take a whole 20 years for the rest of the world to wake up to the threat that lack of a stricter data privacy legal framework posed to individuals and the eventual enactment of the GDPR in 2018. Coincidentally, the country had taken further steps to fortify the regulations on how organizations handle personal information with the adoption of the notifiable data breach 2017 act (NDB). This act, which actually came into force months before the GDPR adds more obligation on organizations and agencies by requiring that they must notify concerned individuals and Australia’s information commissioner (OAIC) about cases of data breach that could culminate in serious harm. It goes further to make it mandatory for these organizations to include the steps that affected individuals could take to respond to the reported breach. The NDB and the revolutionary EU’s General Data Protection Regulations (GDPR) has been causing Australian companies sleepless nights as they scramble to re-engineer their data privacy controls and improve compliance. The Convergence Between The NDB and The GDPR Because they put data subjects first, the two laws may, in the long run, dramatically alter the way Australian organizations and agencies do business. In the new arrangement, individuals are more empowered and will have a lot more say on how companies are using their data meaning that firms must audit their existing data storage and management systems and upgrade appropriately. It’s also worth noting that in both NDB and the BDPR, the questions are now broader…it’s not just about storage and processing of the data but also data controllers answering the “where”, “how”, and “why” as far as holding and using Personal Identifying Information (PII) is concerned. The NDB scheme Vs the GDPR In as much as the two laws are geared towards creating a more stringent personal information security framework, combing through the legislations reveals some prominent differences. NDB is Focused on the “Seriousness” While the GDPR is concerned about all breaches The NDB leans more on the level of risk that the data breach may cause to an individual’s psychological, financial, physical, emotional, or reputational harm and seems to only cover “serious harm”. What constitutes “serious harm” and who -between the organization and the subject- quantifies the “seriousness” is, as it stands, anyone’s guess.  On the other hand, GDPR is firm in requiring data controllers to notify the relevant authority of all personal data breaches unless the company feels that the violation is unlikely to result into losses. NDP is about “Eligible Breaches” while EU’s GDPR is far-reaching The GDPR touches on practically every aspect of how data collected from third parties should be used by agencies, not-for-profits, and others. From the firm’s utilization of private data from former and current employees, all the way to information from independent contractors, suppliers, and clients, GDPR covers it all. Further, GDPR requires all companies to comply. In comparison, the NBD targets businesses raking in at least a $3 Million annual turnover and a few others like health service providers, credit reporting bodies, and TFN recipients. NBD also talks about "eligible data breaches" implying that organizations can get away with come breaches. NDB Has Lenient Deadlines vis-à-vis the GDPR The NDB offers kinder deadlines with organizations allowed up to 30 calendar days to weigh the magnitude of the breach and notify the OAIC. The GDPR is, in contrast, not that generous and expects firms to notify national data security authorities of the breaches within 72-hours. Final Thoughts The combination of the NDB and the GDPR heralds a new dawn for businesses when we come to their handling of personal data. And since the penalties for non-compliance are hefty, companies need to perform thorough compliance tests and update their systems to cover the gaps. Sure, it’s going to be taxing at first but in the end, the business will be in the good books with the authorities and, crucially, look trustworthy in the eyes of their stakeholders.