{"id":134,"date":"2018-02-16T00:00:00","date_gmt":"2018-02-16T00:00:00","guid":{"rendered":"https:\/\/sageamptesting.wpengine.com\/en-au\/blog\/?p=134"},"modified":"2026-02-05T20:15:33","modified_gmt":"2026-02-05T09:15:33","slug":"new-data-protection-laws-is-your-business-prepared","status":"publish","type":"post","link":"https:\/\/www.sage.com\/en-au\/blog\/new-data-protection-laws-is-your-business-prepared\/","title":{"rendered":"New data protection laws: is your business prepared?"},"content":{"rendered":"
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\tCompliance<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t
\n\t\t\t\t\t

\n\t\t\t\t\t\tNew data protection laws: is your business prepared?\t\t\t\t\t<\/h1>\n\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t

\n\t\t
\n\t\t\t
\n\t
\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t
\n\t\t\t\n\t\t\t\t\"\"\t\t\t\tKeir Thomas-Bryant<\/span>\n\t\t\t<\/a>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n

New federal laws will require businesses to disclose when they suffer a data breach<\/strong><\/em><\/p>\n\n\n\n

On 22 February 2018, the Notifiable Data Breaches (NDB) scheme will take effect, introducing new obligations for Australian businesses that suffer a data breach.<\/p>\n\n\n\n

Governed by the Office of the Australian Information Commissioner (OAIC), the scheme strengthens the existing data privacy regulations in the Privacy Act by requiring businesses to notify individuals when the loss of their information is likely to result in serious harm.<\/p>\n\n\n\n

The new laws come as data breaches continue to escalate in Australia, with recent high profile cases causing severe problems for businesses<\/a> and government agencies<\/a> alike.<\/p>\n\n\n\n

Here we\u2019ll provide an overview of the NDB scheme, who it applies to, and your obligations:<\/p>\n\n\n\n

Will my business need to comply with the scheme?<\/strong><\/h2>\n\n\n\n

If you\u2019re a business or non-profit covered by the Privacy Act<\/a> and have an annual turnover of $3 million or more, you will need to comply with the scheme.<\/p>\n\n\n\n

If your business makes less than $3 million a year, you may be exempt, however there are exceptions<\/a>.<\/p>\n\n\n\n

The scheme similarly applies to Australian government agencies, credit reporting bodies, health service providers, and TFN recipients, among others.<\/p>\n\n\n\n

\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t

Free research report: The changing face of HR<\/h2>\n\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Seismic shifts in the way organisations operate, work, and manage their people are occurring. We surveyed 500+ HR leaders to discover how they are responding.<\/p>\n

Uncover insights on how to stay ahead and transform HR from a process focused function to a people driven business.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tDownload Report<\/a>\n\t\t\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\"\"\t\t\t<\/div>\n<\/div>\n\n\n\n

What are my obligations under the NDB scheme?<\/strong><\/h2>\n\n\n\n

If you have reasonable grounds to believe<\/strong> your business has suffered an \u201celigible data breach\u201d \u2013 one that reveals personal information likely to result in serious harm to any individual \u2013 you must notify those individuals and the OAIC within 30 days of becoming aware of the breach.<\/p>\n\n\n\n

The scheme stipulates that a notification statement must include recommended steps individuals should take in response to the breach, amongst other details<\/a>. It\u2019s important to note that the scheme only applies to eligible data breaches that occur on or after 22 February 2018.<\/p>\n\n\n\n

If you only have reasonable grounds to suspect<\/strong> your business may have suffered an eligible data breach, you are not required to notify anyone immediately. However, you must complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days. While it\u2019s left up to businesses to develop their own procedures for assessing a suspected data breach, the OAIC provides a guide to doing so<\/a>.<\/p>\n\n\n\n

What are the penalties for failing to comply?<\/strong><\/h2>\n\n\n\n

Serious or repeated instances revealing the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for companies.<\/p>\n\n\n\n

How can you prepare for the NBD scheme?<\/strong><\/h2>\n\n\n\n

If your business stores confidential information about your customers, it\u2019s wise to put a plan in place to ensure you can respond quickly to data breaches, and conduct an assessment as required under the NDB scheme.<\/p>\n\n\n\n

A good place to start is the OAIC website<\/a>, where you can find a data breach response summary<\/a> and a comprehensive guide to handing personal information security breaches<\/a>.<\/p>\n\n\n\n

\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t

Free research report: The changing face of HR<\/h2>\n\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Seismic shifts in the way organisations operate, work, and manage their people are occurring. We surveyed 500+ HR leaders to discover how they are responding.<\/p>\n

Uncover insights on how to stay ahead and transform HR from a process focused function to a people driven business.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tDownload Report<\/a>\n\t\t\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\"\"\t\t\t<\/div>\n<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"

New federal laws will require businesses to disclose when they suffer a data breach On 22 February 2018, the Notifiable Data Breaches (NDB) scheme will take effect, introducing new obligations for Australian businesses that suffer a data breach. Governed by the Office of the Australian Information Commissioner (OAIC), the scheme strengthens the existing data privacy […]<\/p>\n","protected":false},"author":280,"featured_media":502,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sage_video":false,"post_featured_image_hide":false,"footnotes":""},"categories":[83,75],"tags":[143,217,219,185],"business_type":[9],"context":[],"industry":[],"persona":[106,107,108,101],"imagine_tag":[57,51,42,40],"coauthors":[271],"class_list":["post-134","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance","category-strategy-legal-operations","tag-compliance","tag-data-security","tag-ndb-scheme","tag-regulation","business_type-medium-sized-business"],"sage_meta":{"region":"en-au","author_name":"Keir Thomas-Bryant","featured_image":"https:\/\/www.sage.com\/en-au\/blog\/wp-content\/uploads\/sites\/5\/2019\/01\/GettyImages-736491675_super.jpg","imagine_tags":{"57":"Data","51":"Data Security","42":"Enterprise business","40":"Mid-sized business"}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Sage Advice Australia","distributor_original_site_url":"https:\/\/www.sage.com\/en-au\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/posts\/134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/users\/280"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/comments?post=134"}],"version-history":[{"count":0,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/posts\/134\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/media\/502"}],"wp:attachment":[{"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/media?parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/categories?post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/tags?post=134"},{"taxonomy":"business_type","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/business_type?post=134"},{"taxonomy":"context","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/context?post=134"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/industry?post=134"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/persona?post=134"},{"taxonomy":"imagine_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/imagine_tag?post=134"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.sage.com\/en-au\/blog\/api\/wp\/v2\/coauthors?post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}