How to Comply with Australian Privacy Act Legislative Changes While Improving Your Cyber Security Posture

Data privacy is the third most important factor to Australians when choosing a product or service. Nearly half (47%) of Australians said they would stop buying from an organization that experienced a breach and 12% said there was nothing an organization could do to appease them[1].

Since 1988, Australian entities have looked to the Australian Privacy Act (The Act) for guidance on collecting, using and sharing personal data. A wide-ranging, modern review of the Privacy Act began in 2020 and was released to the public in February 2023 by the Australian Attorney General’s Department. Most recently, amendments made through the Privacy and Other Legislation Amendment Bill 2024 (Bill) have the Privacy Act under reform, with some measures reaching Royal Assent in December 2024. As it stands now, there are 38 ‘accepted in full’ changes tabled in draft legislation that directly impact the cybersecurity strategies of in-scope organizations (including some small businesses with a turnover of $3M or less). 

Another critical resource for cyber security improvement in Australia has come from the Australian Signals Directorate (ASD) agency, the AU Government’s technical authority on cyber security. Since 2012, ASD has encouraged organizations to follow a recommended set of baseline mitigation strategies labeled the “Essential Eight.” These strategies give small &medium size businesses, large organizations, and government entities a fundamental but relatively strong model for defending against cyber threats.  

A set-and-forget cyber security strategy is not a realistic plan. To ensure all compliance obligations are met and risk mitigation measures remain fit for purpose, all organizations must keep pace with changes to the Privacy Act, while critical infrastructure and in-scope government bodies must also keep pace with changes to the SOCI Act and Essential Eight.

Privacy Act compliance challenges

Organizations are expected to take reasonable steps towards procedural and system compliance with The Act. Key issues to consider include: 

• Resources and budget: Programs need dedicated resources and funding. 
• Legal requirements: Compliance requirements are determined by data type, data source and an organization’s unique IT infrastructure. 
• Data management protocols:  Organizational leaders are obligated to understand all data protocols comprehensively. 
• Transparency and consent: Businesses must be clear and transparent in obtaining permission.
• Data management and access: Individuals have a right to access their data in full within one month of submitting a request. 
• Third-party compliance: Companies are responsible for ensuring that third-party service providers comply with the Privacy Act and international privacy laws. 
• Incident response and reporting: All organizations require a well-developed and regularly tested data-breach response plan. 

E8 compliance challenges:

• Documenting progress: NSW Government agencies are required to document the quality of evidence in their E8 report. 
• Lack of investment is a false economy: Any upfront savings from achieving only baseline compliance or not meeting compliance obligations pale in comparison to the cost of disruption to operations, negative brand implications and hefty outlays required to remediate a security breach.

Here are four solutions to help you comply with the Privacy Act legislative changes while increasing alignment with the E8 Cyber Security Framework and improving your cyber security posture:

1. Conduct a privacy impact assessment

How does it add value? It optimizes and prioritizes privacy compliance investments by identifying and mitigating privacy risks associated with data processing activities, protecting your customers’ privacy, and transforming compliance into a competitive advantage. 

Why do I need it? It streamlines the incorporation of legislative changes into business operations, ensuring all compliance obligations are met while minimizing business disruption. 

2. Test your incident response plan 

How does it add value? It elevates security beyond best practices and baseline compliance requirements to the point where incident detection, containment, and response are classified as business-as-usual activities.

Why do I need it? Provides confidence to stakeholders and board members that incident response plans and playbooks are robust and exercised to develop relevant muscle memory. 

3. Execute an Essential Eight assessment

How does it add value? It amends policies and procedures to promptly reflect framework updates, proactively incorporates threat detection and containment strategies, and ensures all compliance obligations are met. 

Why do I need it? It protects data, builds trust with stakeholders, and builds your brand by implementing robust cyber security strategies and maintaining all compliance obligations.  

4. Test your application security 

How does it add value? Evaluate and secure an application’s vulnerabilities, reducing cyber security risk to reasonable levels for all stakeholders. 

Why do I need it? To independently review an application’s security, prevent compromise, improve an application’s security posture, and help meet regulatory obligations. 

While compliance is complex, it is critical for maintaining a sustainable cyber security program. Ultimately, a business’s viability relies on its ability to protect personal information. 

So what’s the bottom line? Proactive compliance measures build stakeholder trust, which lays the foundation for long-term success and sustainable growth. That's something that Australians—and the rest of the world—can likely agree to prioritize.