Australia’s data breach worries: three quick lessons for the EU/UK

Australia’s data breach worries: three quick lessons for the EU/UK


29th March 2023

In our globetrotting news monitoring, we have recently been reading about a spate of data breaches affecting Australian businesses.

One contributing factor for this (in our view) is that Australia’s data privacy laws are simply not yet as robust as the EU GDPR/the UK GDPR. In time, that will probably change. But for now, less robust laws mean a less decisive response from organisations in the event of a data breach, and a greater risk of attack from bad actors.

Back in the EU and UK, it is a timely reminder about what needs to happen in the immediate hours following a data breach.

Here are our top tips:

  1. First, you really need to plan ahead. Have your team set up in advance: who will lead “Project Data Breach”? One of the biggest mistakes we see, logistically, is when data breach problems fall between the stools of HR, compliance, IT and/or anyone else in a business. If you know who will be in charge should something unexpected happen, it will be much smoother. So put this in place now. If you need it, you should also make sure you have whatever external support ready to go as well – forensic IT experts and data privacy/legal are the main external suppliers. Remember, setting up a new legal service provider often means some initial paperwork to sort out – you want that in place before things get hairy.
  2.  Secondly, don’t panic. Not everything that looks like a data breach ends up being a data breach, not every data breach is reportable to a regulator, and not every reportable data breach needs action to be taken in respect of the victims. So keep calm and just work through the process but work through it quickly (see next tip).
  3. Thirdly, if you do need to report something to the regulator or the impacted individuals, you will need to do it promptly. Both the EU GDPR and the UK GDPR have a 72-hour reporting window to the local regulator for reportable breaches. That is 72 straight hours, not working hours. Even over Christmas, Thanksgiving or other big holiday periods. It may be better to report something you are unsure about, but which may be reportable, even if you follow-up later on and change your mind. But this is where you typically will need some legal or data privacy expert input (whether internally or externally).

Let us know if we can help you plan your strategy ahead of time (or in the unfortunate event you get caught up in a breach).

Finally, if you are interested in knowing more about the current Australian position, take a look at these comments from The Australian Information Commissioner and this infographic analysis of Australia’s recent history of data breaches (the links take you to free-to-view newspaper articles published by ABC News Australia). To anyone used to the GDPR (EU or UK) they make for sobering reading.