Territory Stories






Law Society Northern Territory; PublicationNT; E-Journals




This publication contains many links to external sites. These external sites may no longer be active.; Made available via the Publications (Legal Deposit) Act 2004 (NT).; Celebrating 50 years 1968 - 2018 Law Society NT




Law -- Northern Territory -- Periodicals.; Law Society of the Northern Territory -- Periodicals.

Publisher name

Law Society Northern Territory

Place of publication



Issue no. 1

Copyright owner

Law Society Northern Territory

Parent handle


Citation address


Page content

17 Anna Johnston Director of Salinger Privacy more in their privacy and security programs, to avoid data breaches in the first place. What to focus on To prepare for a data breach, every organisation should prepare a Data Breach Response Plan. Having a plan in place can clarify what needs to be done when and by whom, in the first few hours and days after a data breach is discovered. To avoid data breaches in the first place, the privacy team or legal advisor should be working hand-in-hand with the information security team. Staff need privacy training and constant reminders of privacy messaging; and third-party contractors, vendors and suppliers need to be bound by appropriate terms and subject to additional controls to avoid becoming the weakest link in the security chain. Further resources The OAIC has guidance material available at www.oaic. gov.au. Salinger Privacy has Privacy Tools including a template Data Breach Response Plan available at www. salingerprivacy.com.au. May The GDPR Who is affected Commencing 25 May, the General Data Protection Regulation (GDPR) will regulate not only businesses based in the European Union (EU), but any organisation anywhere in the world which provides goods or services (including free services) to, or monitors the behaviour of, people in the EU. The GDPR will replace the current set of differing national privacy statutes with one piece of legislation, and will offer a one-stop-shop approach when dealing with privacy regulators across all 28-member states of the EU including the UK post-Brexit. The key requirements In addition to harmonising the privacy rules across the EU, the GDPR introduces some new privacy obligations (although using the European term data protection rather than privacy). One is the Accountability principle, which requires organisations to be proactive. This means that if an organisation doesnt have an effective privacy compliance program, it can be found in breach of its data protection obligations even if it doesnt suffer a data breach. Although by no means a European invention APP 1 in the Australian Privacy Act has the same objective the financial penalties attached to the GDPR are intended to kick-start proper privacy governance in even the most recalcitrant organisations. To help achieve this, the GDPR embeds a proactive requirement to do data protection by design, or as we tend to know it in Australia, privacy by design. The technique used to ensure privacy is built-in to project design is known in the GDPR as Data Protection Impact Assessment, or here as Privacy Impact Assessment (PIA). The GDPR also has a strong focus on getting reactive strategies right. It sets a default timeframe for notifying data breaches of only 72 hours, which adds further complexity for Australian organisations already adjusting to the new Australian notification scheme (above). The GDPR also updates the scope of privacy law to cover such things as data portability and the right to erasure, and aims to ensure that algorithmic decision-making is subject to human review.