As we previously wrote, on and from 22 February 2018, organisations regulated by the Privacy Act 1988 will be required to notify any individuals likely to be at risk of “serious harm” as a result of a data breach, together with the Privacy Commissioner.

The new laws pose real and substantial risk to your organisation’s reputation where data breaches are handled incorrectly. This article sets out our checklist to help you prepare

What you should be doing now

To minimise the risk to your reputation following a data breach, your organisation should be well prepared so that breaches don’t happen in the first place.

In light of these upcoming statutory obligations, we recommend that your organisation:

  • assesses and updates its privacy policy;
  • reviews contracts with its key suppliers to understand how suppliers will treat information you disclose or make available to them;
  • prepare a plan to deal with a data breach and the obligation to notify; and
  • train staff on the importance of privacy compliance.

Taking these steps means that your organisation is prepared to handle a data breach and to manage the message communicated. In turn, this will ensure minimisation of risk to your organisation’s reputation.

1 Data Breach Plan

We recommend that you should have a framework in place to act promptly and proactively where a breach occurs. A data breach plan should include a structured approach to detecting and responding to a data breach. These include:

  • The actions to take if a staff member suspects or discovers a data breach.
  • The members of the data breach response team.
  • The actions the response team should take.
  • A communications strategy.

You should set up a data breach response team which can respond quickly and ensure the organisation’s CEO, and ultimately board, are aware of the breach.

2 Train your staff on privacy compliance

No obligation is required to report to the Commissioner if action is taken that would mean the breach is unlikely to result in serious harm to affected individuals. However, an organisation is still required to report to the Commissioner even where harm is avoided for the majority of individuals, but some are still affected.

Therefore, one key method of managing data breaches is to train your staff on privacy. Educating staff on spotting potential data breaches will reduce the risk of a data breach occurring, as staff will be better prepared to spot a possible data breach and to take steps to prevent it from occurring.

If a data breach does occur, then staff will understand what steps need to be taken (including members of the data breach response team) to report and to contain the breach.

3 Decide who will be responsible

If more than one entity is affected by a single breach, only one entity must report the breach. Organisations must therefore determine who will be responsible for notifying.

Accordingly, it is important to understand how your contractors will handle data breaches that affect information you disclose or make available to your contractors.

4 Notification

After 22 February 2018, if your organisation suffers a serious data breach, you will be obliged to notify individuals at risk of serious harm and the Privacy Commissioner.

The legislation sets out the necessary components of the notification, but you will still have an opportunity to manage the content of the notification.

It may be worth including in your data breach response plan a template notification message, to at least set the framework for the notification. This will allow you to save precious time when time is of the essence in managing the negative effect on your reputation.

At all times it is worth remembering that empathy and transparency are important attributes for managing the response to the data breach.

If a serious data breach occurs, your organisation will need to notify individuals who are at risk of serious harm and the Commissioner as soon as practicable. Your organisation may use any method to notify the concerned individuals, as long as it is reasonable. You are required to set out certain details and you should also recommend the steps you are taking in response to the breach. You should communicate with empathy and transparency and should never ignore the issue or let concerns about being sued stop you from complying with your obligations. This response should be carefully planned as the message you put across can have major ramifications for your organisation.

5 Be proactive

Once the data breach response plan has been established and staff trained on privacy, the plan should be endorsed by the board and tested to ensure that it is effective and responsive.


The introduction of mandatory data breach notification represents a quantum shift in the importance of privacy compliance. Organisations have two months to prepare for the effect mandatory data breach notification might have on their reputation and brand.