Australia should expect its own GDPR, with OAIC to sharpen its teeth: Chan

Financial services organisations should brace for a major overhaul of Australia’s privacy regulations within the next few years, including the introduction of “GDPR-esque” laws as well as increased enforcement powers for and activity by the Office of the Australian Information Commissioner (OAIC), according to Beforepay chief risk officer and general counsel Elena Chan.

Speaking at the Future of Security, Sydney event on Thursday, Chan, a legal expert and previously group transformation chief at Westpac, anticipates the forthcoming legislation to “look very much like” Europe’s General Data Protection Regulation, or GDPR, considered among the strictest and best codified data protection laws in the world.

Introduced in 2016 (and fully enforced in 2018), the GDPR is primarily tasked with increasing individuals’ control and rights over their personal data and, further, to regulate businesses’ use of personal data.

Breach of GDPR laws also attracts significant fines as well as reputational damage for those found guilty, with penalties up to €20 million or four per cent of a firm’s global turnover – whichever is greater. Google, for instance, was fined up to €50 million by the French data protection regulator, CNIL, for failing to properly inform users of the use of their data by third parties and for not gaining consent to do so.

Chan also expects the current collaborative bonhomie between the OAIC and broader industry to change, with the OAIC to take on a much more, top-down, “enforcement-focused” role in its relationship with regulated entities.

“At the moment, the way that regulated entities work with the OAIC is quite collaborative, not dissimilar to how – if you can cast your mind back a number of years – [regulated entities worked] with ASIC,” Chan said.

“With this overhaul and with an increase in powers [for the OAIC], I suspect that you’re going to see them become a little bit more enforcement-focused, [including] increased fines and with much more scrutiny, for instance.”

Chan also anticipates the privacy overhaul will see the “introduction of the notion of personal claims and personal rights”.

As a result, she said, the industry should prepare for a significant increase in class action suits following major cyber breaches.

“If you have a hack event or a cyber event which leads to your customers’ personal information leaking, there could be a class action.”

She cites the Attorney General’s department discussion paper for the anticipated privacy legislation overhaul, which emphasised, she said, “an overlap between cybersecurity and data risk management”.

While not on the immediate “12-month” radar for the Government, Chan does expect major legislative changes will soon be made to privacy regulations.

ASIC to take broader approach to cyber enforcement

Chan believes corporate regulator ASIC will likely take a more sweeping view of its cybersecurity enforcement remit and responsibilities.

No longer would the watchdog limit – as Chan notes it has so far – its enforcement action to specific breaches of particular sections of the Corporations Act.

“Increasingly they’re saying, ‘Actually, [as regulated entities] you’ve got broad obligations, and I can pin you under that broad obligation’,” she said.

“There are a lot of nervous AFSL holders very quickly looking at ‘What are the controls?’ Have they built not only the front-end controls, but also the ongoing monitoring piece? Are there issues and incidents management systems that enable them to properly consider systemic risk from a few incidents and join the dots effectively?”.

APRA’s increased focus on data and risk management

Looking briefly at APRA’s evolving cyber enforcement priorities, Chan has observed an increased focus on data risk management by the prudential regulator.

A number of banks, she said, are under enforceable undertakings, specifically in relation to data risk management.

Despite this, this is “one part of the regulatory landscape that not a lot of people really understand”, with Chan noting that the industry still has difficulty drawing a distinction between data risk management and cyber risk management.

“They kind of overlap if you think about it from a Venn diagram perspective. You’ve got cyber risk management, and a subset of cyber risk management looks at data breach; that’s where it really overlaps.”

“Data risk management looks at the holistic governance of data, making sure that your data is of good quality. And that includes making sure that you’ve got sufficient controls where you don’t have data breaches.

“In information security, however, we talk about ‘data classification’. When we talk about data classification, we’re talking about, Is something highly confidential or sensitive or is it something that we can share with the world?

In data risk management, we talk about data taxonomy, and what we talk about there is, for example, What do we mean by registered address? Is that the operational address?’

Chan currently serves as Chief Risk Officer and General Counsel at ‘pay on demand’ fintech Beforepay.