Cyber-attacks and data breaches are rapidly increasing in sophistication, with immense ramifications for companies and their customers. Australian companies are under greater obligation than ever to manage their customers’ Personally Identifiable Information (PII).
Millions of people have been severely impacted by the release of personally identifiable information (PII), including highly sensitive medical and financial information. Major brands have suffered serious reputational damage, loss of customers, financial penalties and costs. These are no longer rare or isolated events, but a deliberate, sustained, wide-ranging threat.
Public expectations and privacy protection laws are becoming increasingly stringent. In Australia, we expect further amendments to privacy legislation in line with global standards, such as the European General Data Protection Regulation. In practice, this means that Australian businesses subject to the Australian Privacy Act will need to:
- Minimise the collection of PII
- Provide customers with choice over PII collection
- Increase the security of private information
- Identify, locate, aggregate, export and erase private information
- Understand and manage the business impacts of the erasure of private information
- Enhance information lifecycle – retention and disposal
- Manage privacy breaches.
Many organisations have invested heavily in next-generation cybersecurity solutions and are adopting toolsets that enhance privacy through PII masking and encoding; however, technology is not a complete solution to the ever-changing security landscape.
Forward-thinking businesses recognise that they now require a holistic, integrated, and strategic approach that maximises the value of information and minimises risk. Information Governance has emerged as a consolidated and strategic framework to address these urgent needs.
The best practice approach, referred to as ‘privacy by design’, recognises that a range of complementary business practices, especially information security, records management (inclusive of retention and disposal), and Information Governance, is critical to ensuring effective management of sensitive private information and PII.
Leveraging 23 years of experience delivering specialised information management services, Astral has developed a comprehensive approach to identifying and managing PII risk, as outlined below.