Privacy Impact Assessment

With the number of data breaches growing daily, it has never been more important for organisations to protect their customer’s personal information. This starts with a privacy impact assessment to understand what you have, what you actually need, and where it resides within your organisation. Only then can you determine the appropriate measures to protect this data and ensure your customers are safe.

Compliance made easy, differentiation made clear

a winners badge earnt after performing a privacy impact assessment and protecting PII

Be Compliant

Adhering to the Australian Privacy Act is not just a best practice, it is also a legal obligation. Non-compliance can result in fines, legal proceedings, and regulatory scrutiny.
Magnifying glass showing people underneath it identified in a privacy risk assessment

Reduce Exposure

By understanding what personal data is required, you can reduce the amount of personal information you store. This lowers the potential impact and exposure in case of a breach.

with data protection consulting you feel like a superhero standing on a hill victorious

Differentiate

Complying with privacy laws helps your company stand out from competitors who may not be taking the same precautions with personal data. It demonstrates that you take the privacy of your customers seriously.

Privacy solutions that support business growth

Organisations are increasingly recognising the importance of safeguarding personally identifiable information (PII). Breaches are becoming more frequent and severe, with personal information exposure reaching unprecedented levels.

As global threats evolve, privacy regulations are evolving with them, and Australia is no exception. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 was introduced in December 2022, with the Privacy and Personal Information Protection Amendment Act 2022 (NSW) set to take effect on December 28, 2023. Additionally, many Australian organisations must comply with country-specific regulations when operating in international markets, such as the General Data Protection Regulation (GDPR) for EU customers.

Staying up-to-date with current legislative requirements and anticipating upcoming changes can be a daunting task for any organisation. Neglecting compliance obligations not only puts data at risk but also jeopardises potential business opportunities. In today’s cyber-aware climate, customers and business partners demand robust security controls and management practices to protect their data. Failure to meet these expectations can result in missed opportunities and lost business to competitors with mature data management practices.

There are a number of key challenges organisations face when it comes to managing and securing personal information. These include:

N
Organisations must understand what exact personal and sensitive information is necessary to achieve business objectives and serve their customers. This involves identifying why the information is needed and for how long it should be retained. Holding onto unnecessary data, or failing to dispose of it in a timely manner, as seen in recent breaches, can amplify the consequences of a cybersecurity breach.
N
Organisations often lack visibility into the personal data they receive, its origin, and its storage locations, including the multiple copies created during its processing. While an organisation may assume that it only receives data through its online portal, data may also be sent through other unmonitored avenues, such as email or file-sharing platforms. As a result, personal information is scattered across an organisation’s environment, making it essentially unmanaged. Without knowing where every piece of personal data is stored, it’s impossible to implement adequate controls to protect it.
N
Proper classification of different types of data is essential not only for implementing sufficient security controls but also for managing the data lifecycle, including retention and disposal. The excessive storage of personal information has resulted in data breaches having a greater impact than necessary. It is important to securely dispose of data when it is no longer needed. This includes ensuring that data is securely wiped from systems and other devices when they are being disposed of.
N
Understanding and complying with legislative requirements can be difficult, especially if compliance and cybersecurity are not your primary functions. The complexity of requirements and the constant changes can make it challenging to determine what needs to be done and how to do it in the most efficient and cost-effective way. It is also essential to keep up with international privacy changes when operating in overseas markets.
N
In addition to having stringent requirements on data protection, privacy laws around the world also outline specific procedures that must be followed in the event of a data breach. These include who to report to, what to report, and timeframes that must be adhered to. Having clear processes and documentation in place to comply with these requirements within prescribed timeframes is essential to minimise the potential legislative knock-on effects of a breach.
Even after achieving compliance, businesses are constantly undergoing change as business priorities and markets evolve, and this can impact how personal information is received, used, stored and managed. It is important to have processes in place that ensure new and existing data is not affected by these changes, and that compliance and data protection are maintained.

How we can help…

Morrisec offers specialised services aimed at protecting critical business assets, including personal information entrusted to organisations by their customers. Safeguarding personally identifiable information is a complex task, which is why Morrisec’s privacy impact assessments are in high demand. Our assessments offer unparalleled value to organisations seeking to ensure the protection of personal data.

A privacy impact assessment is a comprehensive evaluation that identifies and analyses the privacy risks associated with an organisation’s data processing activities. The assessment then provides remediation activities to mitigate these risks, ensuring compliance with relevant privacy laws and regulations.

Our privacy impact assessment process has been tested and proven effective across any industry, simplifying compliance and personal information management requirements.

N
Our privacy impact assessments (PIA) and GDPR-focused data protection impact assessments (DPIA) provide you access to highly skilled and experienced professionals who have a deep understanding of Australian and global privacy regulations.
N

At Morrisec, our consultants possess decades of experience in client-side roles as CISOs and Information Security Risk Managers, working with a multitude of privacy requirements. They have extensive experience complying with privacy laws and regulations and have successfully secured personal information within these organisations. They have provided consulting services and worked with hundreds of organisations across all industries to address privacy risk and compliance.

N
Our consultants will work with you to identify what information you actually need and why you need it. We spend time working with the business and critical stakeholders to understand the various requirements they have for obtaining personal information and the risk associated with storing this information. We address the critical question of ‘Does the data provide enough value to the business to justify wearing the risk of its storage?’
N
Once we have determined the necessary data for your business operations, we conduct a thorough assessment of the applicable privacy laws and regulations that apply to your business. This helps us identify any potential gaps in compliance and provide recommendations for remediation to ensure that you are meeting your compliance obligations. Morrisec provides assistance when managing multiple privacy standards, such as the Australian Privacy Principles (APPs) and GDPR, to help identify the most effective approach for your business without increasing your cost or workload. One potential solution is leveraging standards like ISO/IEC 27701 that can support multiple international standards. We also ensure that mandatory breach notification requirements are identified and addressed in accordance with the relevant privacy obligations.
N
We dedicate time to understanding your data flows to pinpoint all the channels through which personally identifiable information is received, where it originates, and where it is eventually stored. We also examine how the data moves from its initial receipt to storage, and all the possible areas where it may be duplicated along the way. This helps you to identify all the potential breach points and adjust processes to better manage this data securely.
N
Our team works with you to address management of data throughout its lifecycle, ensuring that it is only retained as long as necessary for business purposes or to comply with legal retention requirements. This includes identifying appropriate retention periods and identifying processes to ensure data is securely disposed of when it is no longer needed.
N
Lastly, we examine procedures for maintaining ongoing compliance and data security as your business evolves, ensuring your organisation stays on track with all privacy requirements.

Morrisec’s privacy impact assessments and data protection impact assessments go well beyond just supporting compliance requirements for data protection. They help you identify that information, but most importantly, support your business in understanding what data you actually need to manage and where that data resides. This reduces your attack footprint, resulting in potential cost and resource savings when managing this data.

Morri on his computer typing in a password and Dr Bot is hiding behind a pot plant shoulder surfing and invading his privacy

Mitigate risk, protect your reputation

hands clasped in support of each other after a privacy impact assessment where they worked together

Protect Reputation

Mishandling of personal information or data breaches can lead to adverse publicity and harm for your company’s reputation. Adhering to privacy laws help’s preserve a positive image and inspire confidence in clients.
plant with dollar sign showing financial savings by using data protection consulting

Reduce Cost

Ensuring adequate protection of personal data throughout your organisation reduces the risk of costly data breaches that may also lead to regulatory enquiries, financial penalties and legal expenses.
a checklist on a board resulting from a privacy risk assessment showing all risks ticked off

Mitigate Risk

Complying with privacy laws aids in the identification and mitigation of privacy risks that lead to security incidents, including data breaches. As a result, this reduces the risk of data breaches that lead to financial and reputational harm.

Start Reducing Privacy Risk

We can help you identify privacy information across your environments, understand what data you actually need to support your business services, and how to protect that data.