Part 1: EU GDPR, the Privacy Amendment (NDB) and ISO 27001:2013
Early last March at the 'Data Privacy Matters' meetup, I had the privilege of moderating a panel segment addressing the NDB Amendment & GDPR's Impact on Australian Businesses. The panellists were Patrick Gunning, (Law Partner from King & Wood Mallesons), Fergus Brooks, (Cyber Risk National Practice Leader, at Aon Australia) and Romain Rallu, (CEO at Privasec, an independent Security firm). We spent the night discussing the applicability of the Privacy Act, being prepared for this new privacy legislation, the ramifications of ignoring the them, and exploring what is covered by insurance when it comes to Data Breaches.
Who Does It Affect?
In the new the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act), companies must disclose to the people impacted and to the commissioner if they believe the breach could cause serious harm to the individual. Already there are differences of viewpoints on what ‘serious harm’ is. The key to avoiding NDB? Putting controls in place to have assurance that even if data has been leaked, they are harmless, e.g. encrypted data.
The Australian Privacy Act 1998 would apply to most Australian businesses (from Government agencies, NPOs and all private sector) with an annual turnover of more than $3 million, ALL private health service providers and some small businesses.
As for the General Data Protection Regulation (GDPR), this applies to Australian businesses (regardless of size) if they process, store or transmit personal data belonging to the European Union (EU) residents but ONLY if they have operations targeting the EU market (with or without a physical presence in the EU).
GDPR applies to personal data, which is critical information that all organisations need to protect. Yes, there are some other major subjects, e.g. the right to be forgotten, mobility of data, parental consent, etc. However, security by design is certainly an ISO 27001 value, and personal data can be identified as an information security asset, which would meet many EU GDPR requirements.
The Privacy Act does have a number of overlapping requirements with the GDPR as well, for e.g. implementing a privacy by design approach to compliance. Part B of the OAIC's Guide to Securing Personal Information explained what needs to be implemented to protect personal information. To manage cybersecurity risk effectively, it outlines a mix of controls that is required to satisfy the technical security aspect of the Privacy Act.
But first, a Quick Intro of ISMS
Information Security is unmanageable without some kind of framework. An ISMS (Information Security Management System), is a system to manage information security by tackling business-impacting security risks within an organisation. ISO 27001:2013 is the international best practice standard that describes how to develop the ISMS. At its very core, an ISMS is about managing risk to the confidentiality, the integrity and the availability of information assets and selecting appropriate controls (e.g. people, process and technical controls) to mitigate these risk to a level acceptable to the organisation (Risk Appetite).
There are different types of controls beyond only technical ones (e.g. implementation of a firewall); essentially, there are three main aspects to consider: people, processes and technology.
Examples of non-IT controls: training your staff would be a human resource control, documenting a procedure would be an organisational control.
Most people are unaware of the level of differentiation having an ISO 27001:2013 certification would bring to your business, especially the benefits of having it on your radar. That's a story for another day though, which I will share in my next article: Part 2 - How an ISO 27001:2013 certificate can be a tangible market differentiator for your business and debunking the myths.
So how does ISO 27001:2013 comes into the Privacy picture?
If an organisation has an Information Security Management Systems (ISMS) in place, you would have already embarked on a journey in ensuring that personal data is protected and the risk of a data leak is mitigated to a level commensurate with your Risk Appetite. By conducting a Privacy Impact Assessment and finding out your compliance gaps, you can address these gaps as part of your ISMS. Any additional controls can be added to your Statement of Applicability.
If you do not have an ISMS to leverage yet, it’ll be harder to convince your regulators and auditor that you are on the road to compliance and the impact (i.e. fine) of a security breach can therefore be quite significant.
Another interesting thing to note is that GDPR mandates involvement of senior management. This is also key to ISO27001 and basically to any IS initiative = If Top Management does not commit you are fighting a losing battle.
Last but not least: check out BS 10012:2017 Personal Information Management System (PIMS) which has just been revised to align with GDPR. If the title looks familiar it’s because it follows the same Plan-Do-Check-Act best practice approach as ISO27001:2013 (ISMS), and therefore can be neatly “added-on” your existing ISMS to cover your Privacy controls!
Do stay tuned for my next write up which will explore the different benefits you will want to gain from an ISO 27001:2013 certificate!