Skip to content

‘Compliance’ is dead. Long live compliance! VPDSS 2.0

Andrew Robinson |

January 20, 2020

‘Compliance’ is dead. Long live compliance! VPDSS 2.0


Your department and the looming VPDSS reporting deadline. 

Well…it’s almost been 2 years. OVIC are asking ‘what have you done for me lately?’. 

2019 ended with a significant update to the Victorian Protective Data Security Standards (VPDSS), now known colloquially as VPDSS 2.0. 

It brings into sharper focus the need to assess the impact of the changes across your organisation and to have adequate information and assurance. 

Here’s the fun part! You’ll need to provide a copy of your reporting to the Office of the Victorian Information Commissioner (OVIC) by 31 August 2020…Tick tock! 

Heads up: The Subtle Changes. 

Taking a look, we can see how it’s been simplified. OVIC has reduced the number of Standards from 18 to 12, as well as cutting the number of associated Elements from 117 to 95.  

OVIC have also used crisper language, free from the shackles previously imposed by legacy ‘must’ and ‘should’ statements. Compliance is dead. Long live… risk management!  

Sidenote: compliance is not dead…ahem. 

Certainly, compliance is still necessary and apparent but is gratefully no longer used as a driving force for the adoption of arbitrary security controls. You determine what is applicable and not. 

Keen to get started already? Click here for your free trial! …or keep reading 🤓

Good Controversy: The Dramatic Changes 

OVIC has raised the bar, as any good regulator should, by lifting the VPDSS Elements up from a supporting document and into the standards themselves. 

We think this is somewhat controversial, as it appears to make the VPDSS more prescriptive, owing to it taking away some of the flexibility for Victorian departments/agencies to adopt an alternative (i.e. a more mature and stable control framework) to achieve the same – or indeed better – outcomes.

But wait, there’s more. The increased emphasis on the VPDSS Elements continues, with updated PDSP Protective Data Security Plan reporting. Instead of a high-level summary for each of the 18 standards used previously, you will need to assess (and provide) the status of all 95 Elements… by 31 August 2020…surprise! 

Oh, don’t forget to prepare a Security Risk Profile Assessment (SRPA) that supports the PDSP you submit to OVIC. You can find the requirements for an SRPA and PDSP in the Victorian Privacy and Data Protection Act (2014). That’s the compliance bit that remains steadfast. 

Don’t worry, it’s good news!

We’re happy that the reporting against VPDSS Elements is very much the equivalent of a Statement of Applicability (SOA) used by industry for ISO/IEC 27001 and by the Australian Government in its information security assessments. That’s a good thing in our book! It makes the uplift workable. 

Here’s how to make your VPDSS task easier…much easier. 

We’re here to help. Our combined assessment and management system functionality will help you continually improve over time. 

With 6clicks, you can quickly and easily perform assessments of compliance against the VPDSS 2.0 (95 Elements) internally or of third parties. 

Assessment can be conducted by your own organisation or by working collaboratively with any number of Service Providers (consultancies) that now choose 6clicks when performing assessments for you. 

Use of a service provider can help bring independence, expert opinion and credibility to your assessment of compliance. 

Our platform can also help you:

– Record your information assets and classifications,

Create risks and treatment plans,

Report progress of control implementation and security incidents and issues including assessment results, and you can even 

Translate between the VPDSS and other frameworks such as ISO/IEC 27001. 

Grab a free trial account below. We’re happy to help make this easier.