In reality, while rules and requirements about how to handle
data don’t automatically make your data safe, they’re necessary. What’s needed
can vary depending on the type of work you do, where you are, and how your
organization is set up.

If your company has personal information about employees or
customers, it probably has to follow the Privacy Act 1988 and rules about data
breaches. There can also be international rules to think about, especially if
you’re dealing with people in different countries. For instance, Australian
businesses that work with the European Union (EU) or have data from EU citizens
must follow the General Data Protection Regulation (GDPR).

And if your organization takes credit card payments or
handles credit card data, it must meet the Payment Card Industry Data Security
Standards (PCI-DSS). If you use Experian data, you have to agree to their
security assessment called Experian Independent Third-Party Assessment (EI3PA).

Running a Business Impact Assessment (BIA) helps your
organization understand what rules it should be following. It’s a way to
identify possible weak points and threats.

The information you get from the BIA also helps your
organization create plans to reduce three kinds of risks: problems with daily
operations, damage to your reputation, and legal issues related to rules and
compliance.