Why businesses should be carrying out a data “stocktake” ahead of EOFY

Why businesses should be carrying out a data “stocktake” ahead of EOFY

Changes to Australia’s Privacy Act may leave businesses open to harsher penalties unless they take proactive measures to identify and appropriately store or remove data kept in their archives, forensic services experts at BDO have warned.

Forensic Services partner Conor McGarrity said that while the proposed changes to the Privacy Act are welcome, they require businesses to do a deep dive into their records.

“These days you have to divulge personal information when signing up for virtually anything – whether that’s your address, phone number, email…any number of things,” Conor said.

“So everywhere you go, you’re asked for your personal information, but what we’re now seeing is the regulators are starting to question the need to collect this information and to keep it on file.”

Conor urged businesses to conduct an immediate stocktake on all the personal data they hold to understand what they have, where it’s stored, why it was collected and to determine whether there’s risk in carrying data not needed anymore.

“It’s really a case of you won’t know what personal information resides in your organisation (or third-party providers) until you take a proactive approach. Much of this data may have been collected years ago and it’s sitting somewhere where nobody looks, so to determine where they’re exposed, businesses need to go and find out what information they have and where it lies.”

Conor said companies now face penalties for serious or repeated interference with privacy equal to the greater of $50 million, or three times the value of the benefit obtained. For individuals that breach privacy, the civil penalty can be up to $2.5 million.

With the introduction of new civil penalty provisions, Conor said accountability and transparency are vital.

“The government has agreed, in principle, to create a direct right of action for individuals. This allows them to seek compensation through court action when they have suffered loss or damage due to a severe breach of privacy.

“One way to safeguard your business is with privacy impact assessments, which help adopt a privacy-by-design approach, including when considering modern technologies.”

Key issues to be on alert for is access to customer accounts through credential stuffing and compromised staff access - where a threat actor gains access to a user’s credentials or finds another way to act on their behalf.

“It’s well worth considering implementing multi-factor authentication, where a verification code is required on more than one device,

“And if you suspect a data breach, be flexible and adaptive, and where possible, take the required steps simultaneously or in quick succession. 

For media enquiries
Tate Papworth
Manager, Media
E: tate.papworth@bdo.com.au
Ph: 0433 411 189