GDPR fines span the globe – Australian businesses must respond
Any organisation with personal information must keep it safe, but this is even more so if the GDPR applies to the organisation’s processing of personal data. A significant breach of data which can be linked to an individual – including their name, address, email details, photograph, employee ID or similar – must be notified to a relevant European regulator within 72 hours. After that the regulator will decide what, if any, further action needs to be taken. It does not matter where the breach happened – if the breach involves personal data of EU residents, the breach must be notified to a European regulator.
Locally, the first annual report from Australia’s Notifiable Data Breaches scheme reveals that in the 12 months to the end of March 2019, 964 eligible data breaches were reported to the Office of the Australian Information Commissioner (OAIC).[/vc_column_text][image_with_animation image_url=”1548″ alignment=”” animation=”Fade In” border_radius=”none” box_shadow=”none” max_width=”100%”][vc_column_text]Source: OAIC[/vc_column_text][vc_column_text]In this environment, where serious cyber breaches are increasing, Australian organisations dealing with European data must comply with GDPR, or potentially face hefty GDPR fines and penalties.
It is critical that Australian businesses operating internationally, or holding European citizen’s data, treat personal data with great care. Reputational damage from a cyber breach in one market can rapidly affect consumer sentiment in another.
At the same time regulators are increasingly taking a more international stance with regard to compliance, which could mean that a multi-jurisdictional breach could incur the same harsh penalties by different regulators around the world.
Consequently, Australian organisations need to urgently review their exposure to GDPR and the opportunity to transfer risk.
The role of cyber insurance
Cyber insurance typically covers civil rather than criminal penalties. Aon’s recent The Price of Data Security report, sets out the legislative landscape in Europe as it pertains to insurance cover for a data breach. Generally, in Australia cyber insurance could extend to GDPR fines where permissible at law.
However, a GDPR fine is only one of many costs associated with a data breach. Other costs can be far more damaging, for example, legal and litigation fees, the expense of regulatory investigations, reduced revenues as a result of business interruption, remediation, public relations, compensation and notification costs – all which could potentially be covered by a robust cyber insurance policy.
It is important to note also that GDPR makes it easier for people who have suffered material or non-material damage (including distress, anxiety and reputational damage) to claim compensation. This injects further potential cost and risk.
Organisations that believe they have suffered a breach need to immediately triage the incident appropriately in order to mitigate the risk of, and quantum of a GDPR fine. The 72-hour GDPR reporting window creates a particularly acute and costly challenge and will often require companies to rely on a professional incident response team comprising digital forensics, lawyers and specialist communications teams skilled in crisis response.
For advice about the best approach to protect your business from a data breach, contact Aon today.