Stefanie Luhrs
Clyde & Co
Stefanie Luhrs advises professional services firms in relation to their data protection and privacy obligations and acts for a number of Australian and international cyber insurance on incident response and coverage issues. Stefanie also specialises in defending both litigated and non-litigated claims, and complex multi-party disputes acting for a range of professionals and organisations.

TUTORIAL: A Tangled Web - Navigating Mandatory Notification, the GDPR, Data Protection and Privacy Laws

Over the past 12 months, privacy and data security have become an increasingly greater compliance challenge for organisations due to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Data Notification Law) which comes into force on 22 February 2018, the existing Privacy Act 1988 (Cth) (the Privacy Act) and significant international laws including the EU General Data Protection Rules.

Many organisations fail to appreciate that the Data Notification Law provides the means by which Australian regulators can assess and investigate a company's overall compliance with their data security, collection, retention and privacy obligations. For these reasons it is important that organisations understand the wide reaching impacts of Australia’s privacy laws, and the extent to which international laws can impose added compliance costs and financial burden.

This tutorial will examine the Data Notification Law, organisations' data security and privacy obligations under both federal and state privacy and data protection laws (including the Privacy Act, the Information Privacy Act 2009 (Qld), the Privacy and Data Protection Act 2014 (Vic) and the Privacy and Personal Information Protection Act 1998 (NSW)), the EU's General Data Protection Regulation (GDPR), key United States and Canadian privacy laws and the ways in which organisations can be exposed to both local and cross jurisdictional regulations for data privacy and security.

The tutorial will also provide practical guidance for how to ensure readiness and compliance with the relevant laws, and provide insights into frameworks that organisations can adopt to better manage these legal obligations and reduce their risk profile.

It is anticipated that the tutorial will cover the following topics:

(a) A brief explanation of the threshold requirements of the Data Notification Laws, the EU's General Data Protection Regulation (GDPR), as well key United States and Canadian laws that have potential cross jurisdictional application;
(b) How the Data Notification Law works within the existing Privacy Act;
(c) Examining other key state and federal statutory requirements relating to the protection and storage of data at each stage of the information lifecycle such as under the Information Privacy Act 2009 (Qld), the Privacy and Data Protection Act 2014 (Vic) and the Privacy and Personal Information Protection Act 1998 (NSW);
(d) Understanding key risk areas where cross jurisdictional liability can arise;
(e) Practical steps organisations can take to ensure compliance with their legal and regulatory obligations and guidelines for developing internal processes to manage the Data Notification Law;
(f) Practical examples and case studies drawn from real world experience; and
(g) A question and answer session.
The aim of the tutorial is to improve the audience's understanding of the growing web of legal and regulatory obligations they face to protect and manage data. The tutorial will provide guidance on compliance with privacy and data protection laws and recommend steps for organisations to manage these obligations and improve internal compliance processes.