Best practice before a breach occurs

An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.

An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

Employees should receive regular training on compliance with data security requirements.

The main objective of the training should be to build and maintain a good level of current awareness of how to comply with, and avoid breaching, data security obligations.

Employees of an organisation whose roles involve performing services for the organisation’s customers should be familiar with any contractual obligations that the organisation has to the customer concerning data security requirements.

Organisations should develop and maintain a positive and strong compliance culture in relation to data security obligations.

A positive and strong compliance culture can embed best practice with respect to data security awareness and compliance within the values of an organisation and the values and behaviours of its staff.

An organisation should also implement effective internal governance processes and oversight of data security issues.

Internal governance processes should enable the timely and accurate reporting of data security compliance issues and breaches to relevant internal stakeholders.