The Privacy Act amendments come into law in Australia tomorrow (12 March), with serious fines of up to $1.7 million for companies and up to $340,000 for individuals who breach the Act.
However, the total cost of a data breach for a company could be far greater due to ongoing audits, according to Baker & McKenzie partner Patrick Fair.
"For larger corporations the cost can be very high, because you have so many points of collection and multiple layered data bases with different information stored in different places," he told Computerworld Australia.
"The way that you have engaged your service providers and the terms on which they use the personal information that you have collected is also in play."
This is because the Act encompasses outsourcing or offshoring partnerships with third party providers. For example, the cross-border disclosure of personal information is covered in Australian Privacy Principle (APP) 8. New accountability requirements will apply to organisations, including Australian government agencies, that send personal information to an overseas recipient.
"Instead of the legislation regulating a transfer of data, it now regulates disclosure of data. That's a much wider concept," Fair said.
"That means outsourced service providers that have access to data for technical reasons to do specific tasks now have to be reviewed by the company so that the provider complies with the law."
He added that remote access to data held in Australia from another country- such as remote desktop logins -- also counts as disclosure.
According to Websense country manager Gerry Tucker, it will be harder for companies to gauge the ongoing resource requirements of an audit.
"It's not just in the four weeks that this audit is going on, you need to have processes in place prior to, and after, the audit," he said.
Tucker warned that the cost will be more than just financial if the information gets leaked online. "If anything goes public, that is brand and reputation damage."
Rise of the chief privacy officer?
To help organisations keep abreast of the Act, Fair suggested appointing a full or part time privacy officer.
"If you haven't got someone appointed in that [privacy] role, you're going to get audited. There has to be someone in the organisation who understands the [APPs] and is prepared to broker them into the business," he said.
"Any organisation with volume of personal information is going to need someone full time."
According to Tucker, the role of privacy officer is more suited to the risk and compliance department than IT.
"Should the privacy officer report to the CFO or the board? That's a question that organisations have to ask themselves very carefully."