AI Threats Are Evolving And So Must Our Audits: Why Surface-Level Compliance Won’t Cut It Anymore
With today’s society being so heavily digitally reliant, data privacy breaches have become a critical issue for organisations of all sizes. The consequences of such breaches are now more than financial losses or reputational damage, they also carry significant legal implications.
One of the most crucial legal frameworks governing directors’ responsibilities in Australia is Section 180 of the Australian Corporations Act. This provision places a duty on company directors to exercise their powers and perform their duties with care and diligence, something which is vital when it comes to managing data privacy risks.
What is Section 180 of the Australian Corporations Act?
Section 180 of the Australian Corporations Act 2001 requires that a director or officer of a corporation exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the same circumstances. This is often referred to as the ‘reasonable person’ standard and is fundamental to the corporate governance in Australia.
When it comes to data privacy, this standard means that directors must be proactive in understanding the risks associated with the collection, storage, and processing of personal information. They must also make sure that their organisation has taken the right measures to protect against data breaches. Failing to do so can result in significant legal consequences, including personal liability for directors.
Data Privacy and the Duty of Care
Data privacy is an integral part of corporate governance. With such an increased reliance on digital technologies and the rising volume of personal data being handled by companies, there has been a heightened need for stronger data protection measures.
Under the Australian Privacy Act 1988, organisations are required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
This means that directors must take the right steps to ensure that their organisations comply with these requirements, failure to do so could be seen as a breach of their duty of care under Section 180. This includes not only implementing appropriate technical safeguards, like encryption and secure access controls but also ensuring that the organisation has a comprehensive data privacy policy in place.
The PwC report, From risk to enabler, Australian insights on cybersecurity, found that 44 per cent of businesses this year will prioritise digital and technological risk mitigation and 74 per cent of Australian business leaders plan to increase their cyber budget in the year ahead compared to 60 per cent last year.
Legal Consequences of Non Compliance
The legal consequences for directors who fail to uphold their duty of care when it comes to data privacy can be drastic. If a data breach occurs and it is found that the directors did not take the reasonable steps to prevent it, they could be held personally liable for any resulting damages.
This liability could also include fines, compensation claims from affected individuals, and even disqualification from holding directorships in the future.
Under the Notifiable Data Breaches (NDB) scheme, organisations are required to notify individuals and the Office of the Australian Information Commissioner (OAIC) if they encounter a data breach that is likely to result in serious harm. Failing to comply with the NDB scheme can lead to significant penalties, increasing the legal risks for directors.
Best Practice Tips for Directors
To stay ahead of potential data privacy issues, directors should take a hands-on approach with the help of some of these actions items:
Regular Risk Assessments: Performing regular assessments helps to identify potential data privacy risks. It is important to also take the time to implement measures to address them.
Comprehensive Policies and Procedures: Make sure that the organisation has clear data privacy policies and procedures in place, which are regularly reviewed and updated.
Training and Awareness: Providing ongoing training for staff on data protection practices and the importance of compliance with relevant legislation helps to raise awareness.
Incident Response Planning: Developing and maintaining an incident response plan can help when needing to address potential data breaches swiftly and effectively. Having a plan in place can help reduce the impact of a breach, if it were to occur.
Engagement with Legal Counsel: Making time to have regular consults with legal counsel can help to ensure that the organisation’s data privacy practices comply with all relevant legal requirements.
Conclusion
Section 180 of the Corporations Act 2001 demonstrates the importance of care and diligence in corporate governance. With the increase in digital technologies and there is a need for tighter protections, making it vital that directors stay ahead of the game. Having the right measures in place like strong data privacy platforms is just one step that can be taken to ensure stronger protection. That’s where our team at de.iterate can help.
Questions? Queries? Keen for further information? Contact us today to ensure you’re meeting your responsibilities as a director effectively when it comes to your organisation’s privacy and cyber security needs.
Tags:
