Data Breach Response Plan (DBRP) – What is it and does Your Business need one?

We’re hearing the phrase ‘Data breach’ more often these days. Usually it’s in the media reporting on organisations who leak personal information about individuals that they have collected. This might be inadvertently or the result of an attack. The question of the day is: does YOUR business have a plan for what it would do in response to a data breach?

A data breach can severely harm your reputation and can have adverse impacts on your bottom line. Some businesses have even had to shut their doors after a data breach, as consumers will quickly lose trust in you if you fail to keep their personal information private.

However, given the speed at which technology has been advancing, it’s no surprise that businesses sometimes struggle to keep up with privacy threats that new technologies pose.

The Privacy Act 1988 (Cth) (Privacy Act) has undergone major reform to keep up with changes in technology. It now contains 13 Australian Privacy Principles (APPs). These APPs impose obligations on businesses like yours and how you deal with personal information.

To supplement the Privacy Act, the Notifiable Data Breaches Scheme (NDBS) was introduced in 2018. This obliges you to report an ‘eligible data breach’ to the affected individual and to the Office of the Australian Information Commission (OAIC).

The APPs impose obligations on entities to comply with the NDBS. In particular:

  • APP 1 requires entities to take ‘reasonable steps’ to establish systems that ensure their compliance with the APPs; and
  • APP 11 requires an entity to take ‘reasonable steps’ to protect the personal information it holds.

To help you comply, the OAIC has released guidelines that outline how to prepare a Data Breach Response Plan (DBRP).

The DBRP is a proactive, documented plan to identify and explain how you will respond to a data breach. Whilst a DBRP is not mandatory under the Privacy Act, it may be a ‘reasonable step’ you can take to ensure compliance with APP 1 and APP 11. It also sets out a clear procedure for employees to follow in the event of a data breach.

A DBRP can mitigate the harm to an organisation if a data breach was to occur. It allows you to quickly respond to a data breach and take appropriate remedial action to limit the scope and detriment caused either to the individual or the organisation. It can also contribute to building public trust and help you meet your obligations under the Privacy Act.

There is no prescribed form for a DBRP. Each DBRP must be adapted to the unique circumstances of your business. However, the OAIC has provided recommendations on what a DBRP should cover, including:

  1. Identification: Of what a ‘data breach’ is.
  2. Strategy: For dealing with a data breach, with the following steps:
    1. Contain: Outline the immediate action to be taken.
    2. Assess: Consider the scope of the breach and what next steps are appropriate.
    3. Notify: If it is an ‘eligible data breach’ notification must be given in accordance with legislative requirements.
    4. Review: To determine what caused the breach and to implement procedures to prevent it from recurring.
  3. Staff: Roles and responsibilities when a data breach occurs.
  4. Documentation: And record keeping procedures to record all data breaches.
  5. Review: Procedures to analyse the response of staff and to prevent the data breach from recurring.

It is important for all entities subject to the Privacy Act to have a clear DBRP in place to prevent the significant harm and fines that can result from a data breach.

If this applies to your organisation, please talk to PBL Law Group about drafting a DBRP.



Authored by

Raea Khan

Director Lawyer

Talk to a Lawyer Today

Speak to us Now on

or Request a Consultation.

We respond within 24 hours.
From Our Experience

Expert Insights That Matter to You

Get Help Today

Request a Consultation

Use the form to request a consultation with one of our expert lawyers.

We will contact you within 24 hours.

Or Speak to us now on

Raea Khan Circle
Director Lawyer
Raea Khan

Raea is Managing Director and Principal Lawyer for PBl Law Group. Raea assists clients with major projects, property developments, construction and strata law.

He has worked in Western Australia and Queensland assisting with expansion projects in the energy and resource sector and now predominately advises clients in Strata and Community Association matters.

He is a member of the Australian College of Strata Lawyers where majority of his work is advising developers and owners corporations with dispute related minor and major defects, strata governance and common property litigation. He is proficient at leading negotiations and meetings.

Raea has a particular interest in the commercial aspect of any dispute and always tries to weigh up the risk, reward and benefit of legal proceedings at each different stage.

Raea enjoys all forms of competitive sport, including Crossfit and actively participates in Triathlons, representing Australia as an age group athlete. He was a member of Red Head Surf Lifesaving club.

  • Strata Law
  • Construction & Major Projects
  • Commercial and Business Law
  • Planning & Environment Law