Maddocks privacy and cyber partner: Data is business uranium

On Privacy Awareness Week, Sonia Sharma debunks a major myth about privacy protection

Maddocks privacy and cyber partner: Data is business uranium

Businesses today hold uranium in their hands in the form of data, and they need to be very careful about mishandling it lest it turn toxic.

In the first part of this interview, Maddocks privacy and cyber partner Sonia Sharma chats to Australasian Lawyer about upcoming changes in privacy law, debunking a major privacy protection myth businesses buy into, and the biggest takeaway she is expecting from this year’s Privacy Awareness Week.

In this day and age, why is privacy awareness so important for businesses?

Cybersecurity and privacy risks have been identified as top concerns for boards and business executives – and with good reason. It has been said that data is no longer business gold – it's uranium. Powerful and valuable but risky to hold, and toxic if it is mishandled.

It’s been reported by the Australian Government that a cyber breach happens every six minutes in Australia. We’ve seen the huge cost of large data breaches for businesses, such as with Optus, Latitude and Medibank, both for the organisation and its consumers. With Australia now considered a ‘soft target’ globally, the stakes are higher than ever. From a legal standpoint, businesses who are captured by the Privacy Act also need to be aware of their privacy obligations under the Act and the 13 Australian Privacy Principles (APPs), or face penalties of more than $50m for serious or repeated breaches.

We are also expecting changes to privacy laws this year, and organisations are being warned to prepare ahead of time by understanding their current data holdings and compliance maturity. At the end of the day, personal information is ‘personal’. It impacts real people. So while legal and regulatory exposure is higher than ever before, digital trust is critical for all businesses. The reputational and stakeholder impacts can be significant. Businesses simply cannot afford to not actively manage privacy in the current environment.

What is the biggest myth about privacy protection that you’d like to debunk?

That privacy is purely an IT problem or that security controls will protect personal information! This is important but nearly all data breaches or privacy issues involve a human. Everyone in the organisation, from your CEO to the receptionist, should be taking privacy seriously. As the OAIC states, a leadership commitment to a culture of privacy is a foundation for good privacy governance. We see it time and time again, good privacy governance can improve business productivity and help to develop more efficient business processes.

Good privacy governance will also help you manage both the risk of a privacy breach and your response should one occur. Personal information is one of your most valuable business assets and your people and culture are key to digital trust and safeguarding personal information.

As a lawyer, what is the biggest takeaway you want people to get from Privacy Awareness Week?

Don’t get caught out! Be prepared and have a plan. The theme of PAW ‘24 focuses on transparency, and accountability and security of data in the face of evolving technologies such as AI and data sharing. I want to see organisations use this time to take stock of their privacy practices to ensure they have appropriate safeguards in place, understand their gaps and have a plan for addressing them.

This goes beyond mere legal compliance: it's about meeting the expectations of the community, including consumers and your own employees. It’s about taking a privacy as a priority approach and taking a privacy by design approach, and thinking about issues before they arise. Once you have a clear plan and your people are on board, you improve your resilience and it becomes less overwhelming.