New data privacy regulations are landing with tight deadlines, leaving businesses scrambling for practical solutions. While legal teams focus on interpretation, operations teams need actionable strategies that work in the real world.
We brought together privacy law specialists, compliance consultants, and business leaders who’ve successfully implemented rapid privacy transformations to discuss what actually works. Their conversation reveals that effective compliance isn’t about perfection from day one, it’s about smart prioritisation and building adaptable systems.
From automated data mapping tools to staff training shortcuts, our panel shares the practical insights that help businesses move from panic to compliance quickly and sustainably.
Let’s Talk!
Contribute to Dynamic Business ✍
Madeleine Porter, Legal Industry Expert (APAC), iManage
“The Privacy and Other Legislation Amendment Act 2024 (Cth) has introduced new requirements for Australian businesses about the protection, handling and management of personal data.
“If you’re a business owner, managing partner, or executive trying to navigate the new data privacy rules, there are some steps you can take to help with adherence.
- Familiarise yourself with the Privacy and Other Legislation Amendment Act 2024, focusing on the Australian Privacy Principles (APPs) and new data handling requirements.
- Conduct a data audit to identify necessary adjustments for compliance.
- Update privacy policies regularly to reflect legislative changes, ensuring clarity on automated decision-making and overseas data transfers.
- Establish technical and organisational safeguards, including encryption and access controls.
- Train and educate employees on new data privacy rules and compliance responsibilities.
- Establish a Breach Response Plan for timely notifications of data breaches as per the Notifiable Data Breaches (NDB) scheme.
- Consult with the Office of the Australian Information Commissioner (OAIC) for compliance guidance and to understand enforcement mechanisms.
“Non-compliance with the new regulation can be damaging to a business. Therefore, if you find yourself struggling to implement the new rules, seeking support from trusted advisers can help.”
Christine Low, Head of Observability, APAC at Splunk
“You can’t comply with privacy rules if you can’t trust your data. The fastest path to compliance starts with having reliable and accessible data. In today’s hybrid environments, where data is sprawled across on-premise, cloud and third-party platforms, traditional policy-driven approaches simply aren’t enough.
“Compliance starts with visibility. If you can’t see your data – where it lives, who has access and how it flows, you can’t protect it, govern it or meet compliance requirements. Instead, forward-looking businesses are turning to real-time observability, data federation and data lifecycle management. These practices give teams the control they need, without slowing them down. Teams are able to avoid data clutter, limit access to the right people, retain only what’s necessary, and even enhance team collaboration.
“When your data is in order, compliance becomes easier and far less painful. You also gain the added benefit of being more digitally resilient, more agile and better prepared when something goes wrong.”
Garry Valenzisi, Vice President & General Manager, Iron Mountain APAC
“For small businesses, customer data is more than just information, it’s a responsibility. Recent reforms to Australia’s Privacy Act highlight the growing importance of protecting personal data, not only to meet legal obligations but to maintain customer trust.
“The quickest way to comply isn’t through temporary fixes, but by embedding privacy into everyday operations. Start by reviewing how your business collects, stores, and uses data. Identify gaps and clean up legacy systems to remove outdated or unnecessary content. Consider using tools that automate data classification, redaction, and secure storage can help streamline this process and reduce risk.
“With the Office of the Australian Information Commissioner (OAIC) now holding stronger enforcement powers, good data management must become part of your business culture. This means training staff on safe data handling, securing remote work environments, and ensuring sensitive information is only accessible through trusted channels.
“Compliance isn’t a one-off task; it’s an ongoing commitment. By investing in smart, scalable data practices, businesses of all sizes can meet regulatory requirements, protect customer relationships, and stay competitive in today’s digital-first economy.”
Lyn Nicholson, General Counsel, Holding Redlich
“While it may sound obvious, the first step is to invest time in understanding your obligations, then act on them. The Office of the Australian Information Commissioner (OAIC) offers a range of free resources to support SMEs, including a new privacy assessment tool that organisations can use to evaluate their privacy maturity and develop a roadmap to uplift processes.
“Importantly, SMEs now face fines for technical breaches, including where a privacy policy fails to include all the information required under Australian Privacy Principle (APP) 1.4. To be compliant, your policy must clearly state what personal information your business collects and holds, how that information is obtained and stored, and the purposes for which it is used and disclosed. Your policy should also explain how individuals can access and correct their personal information, how they can lodge complaints about a breach of the APPs or a registered APP code (if any), and how those complaints will be handled. Where personal information may be disclosed to overseas recipients, the policy should also specify, if practicable, the countries where those recipients are likely to be located.
“Finally, ensure your internal processes support the statements made in your privacy policy.”
Lecio De Paula, Vice President of Data Protection at KnowBe4
“Compliance with new data privacy rules doesn’t begin with technology, it begins with people. While technical safeguards are essential, they’re only part of the equation. The real differentiator is a strong, organisation-wide culture of security awareness. Too often, businesses respond to new regulations by deploying tools or updating policies, but they miss the mark if they overlook the human layer, where many privacy risks actually develop from.
“Rather than just checking boxes, it’s an opportunity to drive lasting behavioural change. Building a privacy-first mindset means going beyond annual trainings and embedding security awareness into the daily rhythm of the organisation. When employees understand how their decisions impact data privacy, they become active participants in protecting sensitive information.
“It’s not a one-time milestone but an ongoing journey. By equipping people with the knowledge and tools to reduce human error and recognise risks in real time, organisations can not only respond faster and adapt more confidently, but also meet compliance requirements in a meaningful, sustainable way.”
Lauren McKee, Practice Leader, LegalVision
“To comply quickly with the new data privacy rules under the Privacy and Other Legislation Amendment Act 2024, focus on these immediate actions:
- Update Privacy Policies and Procedures
Revise your privacy policies to reflect the new amendments. The OAIC now has enhanced enforcement powers, including the ability to issue penalties, and individuals can sue for serious privacy breaches from June 2025. - Assess if Your Business Serves Children
If your business serves children, prepare for the upcoming Children’s Online Privacy Code, which will apply to platforms like social media, gaming, and websites accessed by minors. - Review Automated Decision-Making Systems
Check automated systems that significantly impact individuals (e.g., loan approvals, insurance decisions). You have until December 2026 to implement transparency measures for these systems. - Train Your Staff
Ensure your team understands the new obligations and is prepared for further reforms. Future changes may include expanded definitions of personal information, new rights (e.g., data erasure), and stricter marketing rules.
“These initial changes are just the beginning. Use this time to build a strong privacy framework that can adapt to more extensive reforms ahead.”
Brett Chase, Senior Director, Sales Engineering, ANZ, Cohesity
“How personal information is collected, stored, and managed by organisations will come under tighter scrutiny as Australia’s new federal privacy legislation comes into effect. The reforms, which bring stronger individual rights like the right to erasure and stricter consent requirements, come with significantly increased penalties for serious breaches.
“However, the quickest path to compliance is not simply a matter of updating policies. It requires a clear understanding of where sensitive data resides, how it is accessed, and how it is protected. As part of this, businesses must strengthen their data infrastructure with platforms that support real-time classification, enforce access controls, and enable rapid recovery in the event of a breach, all of which are essential under tighter reporting obligations.
“Beyond meeting regulatory requirements, this is an opportunity to embed privacy by design into core data management and security practices. Doing so not only reduces risk and operational complexity but also builds trust and unlocks long-term value from data in a way that is both responsible and resilient.”
Tony Burnside, SVP and Head of APAC, Netskope
“No organisation should be having to comply with cybersecurity or data privacy regulations ‘quickly’. Quick is the enemy of good, and rushed cyber or data security upgrades are usually strategically, technically or financially flawed, and not built for the future. This is a field where anticipation is key, and businesses should always aim to be one step ahead of the standards required by regulations.
“With that said, cloud-based security platforms, which consolidate key cyber and data security tools under a single umbrella, have emerged in recent years, and made security upgrades and compliance much easier. Because they are cloud-based, security vendors are the ones responsible for continuously improving the cyber and data security standards offered by their platforms, and ensuring they comply with the toughest regulations to allow highly regulated organisations to use them. The on-boarding and deployment doesn’t require hardware or complex integrations with existing IT architectures as it is deployed at the edge. They are a relevant option for organisations needing quick, and most importantly, future-proof security and compliance.”
Kirsten Bromley, Head of Privacy, APAC, GBG
“An efficient way to comply with Australia’s evolving data privacy rules is to focus on clarity and strong fundamentals.
“One suggestion is to start with a comprehensive data audit: map what personally identifiable information (PII) you collect, where it’s stored, and who has access to it. This applies regardless of business size. Update your privacy notices so they’re clear, easy to understand, and reflect real-life data flows, not just legal theory. For smaller organisations, a straightforward privacy policy backed by practical controls (like role-based access, regular training, and a clear data breach response plan) makes compliance achievable.
“Importantly, privacy is not just a compliance task for IT or legal. Employees and suppliers need to understand their responsibilities, both to prevent breaches and to foster a culture where privacy is central to business values. Embedding privacy in daily operations builds resilience and earns trust in a fast-changing threat landscape. Treating personal data as an asset, with respect, transparency, and care, will help you keep pace with legal expectations while strengthening your business for the long haul.”
Teresa Sperti, Founder and Director at Arktic Fox
“Australian marketers are grappling with significant maturity gaps, underutilised tech, restructures and talent woes against a backdrop of massive AI disruption and economic upheaval.
“Our latest Digital, Marketing & eComm in Focus 2025 report in partnership with Six Degrees Executive highlighted a widening gap between leading organisations in areas of data and analytics vs laggards. Alarmingly, only four-in-10 leaders agreed their brands have clear plans to evolve in line with proposed Privacy Act changes. And, despite growing investment in first-party data strategies, half of all surveyed leaders (53 percent) acknowledged that their brand’s capability in customer and first-party data strategy is lagging in the market. Identity resolution, considered a key pillar of enhancing the resolution of customer data, remained a low priority, with only 25 percent pressing it as a key area of investment.
“So, there is a disconnect between ambition and realisation. Data activation and opportunity identification have to be built as capabilities if brands are able to really mature in their customer data strategy and privacy endeavours.”
Kumar Mitra, Executive Director, CAP & ANZ, Lenovo Infrastructure Solutions Group
“Compliance isn’t just a legal mandate – it’s now a critical function of enterprise resilience. As organisations handle increasing volumes of sensitive data across public clouds, private data centers, and edge locations, it’s clear that privacy cannot be bolted on. It must be architected in.
- A hybrid infrastructure setup gives businesses the flexibility to control where and how data is stored, processed, and protected – which is essential in a climate of evolving privacy requirements. This is further strengthened by Hybrid AI, where workloads run across trusted environments that align with security and regulatory needs.
- AI itself is becoming a double-edged sword – both a source of innovation and a potential risk. That’s why we advocate for an AI-ready infrastructure that not only supports modern workloads but also builds in governance, transparency, and control from the ground up.
- Cyber resiliency ties it all together. By designing systems that are secure, recoverable, and compliant by default, organisations can move fast – without compromising trust.
“In this landscape, it’s not just about responding to new privacy rules, but about building a foundation that lets you adapt continuously and confidently.”
Wade Weirman, Principal Data Lead ANZ, Rackspace Technology
“With data privacy under growing scrutiny, complying with regulations is more than a legal formality, it’s central to building resilient, data-driven organisations. The most effective way to meet new requirements begins with a shift in mindset, collect less, but manage it more deliberately. Adopting minimal, purpose-driven data practices reduces risk and builds customer trust from day one.
“Clarity is equally as essential. Privacy policies should clearly explain how data is used, shared, and processed, particularly in the context of AI and automation. Customers have a right to understand these practices, and regulators expect full transparency.
“Organisations committed to privacy embed it throughout their operations. This includes appointing a dedicated privacy lead, ensuring teams are upskilled, and monitoring high-risk areas like large-scale data processing or handling information about children. These considerations are now standard practice.
“The next step? Long-term readiness. This means having robust security, clear consent and access protocols in place, and ensuring your systems are always audit-ready. The OAIC expects more than good intentions, they expect verifiable action.
“Data privacy is not a one-off task. It reflects a broader commitment to governance, ethics, and operational excellence. Done well, it doesn’t merely ensure compliance, but it contributes to competitive advantage and long-term resilience.”
Sarah Richardson, Founder and Director at Australian Loyalty Association (ALA)
“The fastest route to compliance is treating data privacy as the foundation for customer trust and loyalty.
“Breaches at Optus, Medibank and Qantas have put data governance under a national spotlight. Consumers are asking tougher questions about how their personal information is collected, stored and used, particularly within loyalty programs where first-party data drives personalisation. These insights that elevate loyalty can also heighten risk if not managed responsibly.
“The Australian Loyalty Association is committed to helping brands get privacy right. We exist to educate, advocate and support best practice across the loyalty sector. At our recent Asia- Pacific Loyalty Conference, data privacy and AI dominated the conversation.
“Our panellists agreed there’s no shortcut to compliance. Dean Maidment, CEO and Chief Privacy Officer at Taguchi and Advisory Board member at ALA said, “The fastest way to comply with the new legislation is to ensure you have legal advice tailored to your specific business. While it’s essential to meet current legal obligations, it’s just as important to prepare for the changes ahead. Privacy law is a complex and rapidly evolving field. Failing to prepare properly can expose your business to significant risk,” he said.
“Veronica Scott, Partner at Pinsent Masons agreed, saying: ‘Compliance is foundational to a loyalty program. Key steps are knowing the personal data you collect, meaningful member consent and choice, which includes transparency and finally, robust data security.’
“By aligning loyalty programs with responsible data practices, you can deepen customer relationships for the long term while staying ahead of privacy regulation.”
Jonathan Reeve, Vice President, Asia Pacific at Eagle Eye
“If your business is approaching compliance reactively and waiting for legal updates before acting, then it could be too late.
“For retailers, the safest route to privacy compliance is through operationalising consent across all customer touch-points. In other words, have systems in place that don’t just collect consent, but enforce it dynamically in every customer interaction.
“At Eagle Eye, our operations are certified under global security frameworks that ensure customer data is handled with care, transparency and control. This means our clients in the retail, travel and hospitality sectors can rely on us to support their compliance efforts without needing to bolt on extra tools or processes.
“Our AIR platform is designed with data security at its heart. Our advanced data model for personalisation, the AIR Wallet ensures customer preferences are updated in real-time across all touchpoints. If someone changes how they want their data used, or opts out of a program, it’s reflected instantly. It is this kind of responsiveness that is key to building trust and staying ahead of the rules.
“Compliance is both a data and delivery issue. If your tech can’t act on what your customers decide, you’re exposed. Retailers who invest in responsive, execution-ready infrastructure will not only move faster but stay ahead of future privacy expectations.”
Terry Maiolo, VP & General Manager for Asia Pacific at OVHcloud
“While the responsibilities of data management, privacy and compliance can feel overwhelming, it is a critical consideration for businesses of all sizes in today’s digital world. It is important to build a positive compliance culture around privacy to make good data management a part of day-to-day operations, rather than a one-off task.
“When looking at today’s data privacy rules and compliance requirements, a smart first step is to understand the rules that apply to your business. Often, factors like your industry, where your customers are located, and how you handle personal data will mandate your privacy requirements, and the governance practices you will need to follow. Once identified, you can translate those requirements into clear, practical policies that your team can understand to make compliance practices easier.
“A trusted, data-sovereign cloud provider can reduce the burden of self-directed or managed compliance, helping businesses respond more quickly to new requirements. Look for providers that support recognised privacy and security standards, so that you are not starting from scratch.
“In a digital-first world where trust is earned through transparency, businesses that embed privacy into their everyday operations and partner with trusted cloud providers, will be best placed to meet evolving privacy regulations with confidence, resilience and speed.”
Asad Rathore, Head of Professional Services Cyber Security and AI Consulting at Excite Cyber
“Australia recently enacted significant reforms to its privacy laws strengthening data security and retention obligations around personal information. Compliance isn’t a checkbox exercise. It is cultural and requires whole organisation responsibility from the boardroom down.
“Organisations should test systems and simulate cybersecurity breach scenarios that are tailored to the specific risks their organisation may encounter. This will uncover blind spots, identify vulnerabilities, and assess how the organisation would respond to comply under the new rules. The lessons learned will help detect issues and support better compliance.
“But remember, you can’t secure what you can’t see. Now is the time to have visibility of all personal and sensitive data wherever it resides. Data sprawl, where information is retained in legacy systems, cloud applications or on end-user workstations, must be uncovered and removed if it’s no longer required or can’t be adequately secured.”
Billy Loizou, Area Vice President, APAC at Amperity
“Customer data challenges like fragmentation, poor quality, and identity confusion have long undermined marketing performance and business agility. But AI is shifting the equation—making it possible to make sense of messy data and unify it with greater accuracy.
“The fastest way to keep pace with evolving privacy regulations in ANZ and beyond is by turning first-party data into a reliable identity foundation. When businesses understand who their customers are, what they want, and how they engage—while respecting consent and control—they’re better positioned to comply and compete.
“Identity resolution is emerging as one of the most effective responses to both data complexity and regulatory pressure. Amperity leads in this space with the industry’s first identity resolution agent, designed to help data teams unify fragmented records into a single, trustworthy view. With consent mechanisms embedded in the process, brands can personalise at scale—without compromising privacy.
“Amperity builds governance and privacy directly into the platform. From applying policies across all data types to managing consent at the attribute level, brands get a clear, consistent framework for staying compliant—while still unlocking real value from their data.”
Rolf Howard, Managing Partner, Owen Hodge Lawyers
“To quickly comply with Australia’s new data privacy requirements, businesses should prioritise three key impact areas.
“First, immediately review and update your Privacy Policy. This is critical as new penalties apply for inadequate or missing policies. Ensure it clearly articulates what personal information is collected, how it’s used, and details around automated decision-making if applicable.
“Second, conduct a rapid data audit to understand precisely what personal information your organisation holds, where it’s stored, and who has access. This will help identify high-risk areas and unnecessary data retention.
“Third, strengthen data security measures. This includes implementing robust technical and organisational safeguards like encryption, multi-factor authentication, access controls, and regular vulnerability testing. Employee training on data privacy and cybersecurity best practices is also paramount.
“Finally, develop or refine your data breach response plan. With increased enforcement powers for the OAIC (Office of the Australian Information Commissioner), having a clear plan for detection, containment, assessment, and notification of data breaches is essential to mitigate severe penalties and reputational damage.”
Paul Hewett, CEO, In Marketing We Trust
“There’s likely still some time before tranche two of the new data privacy rules drop. And while it’s difficult to prepare for the unknown, there are still a few key steps marketers can take that will likely work in your favour once it does:
- Double down on first-party data. It’s still the best way to maintain visibility and control;
- Adopt server-side analytics. This gives you full ownership of your customer data, which is essential as reliance on third-party tools becomes less viable.
- Train your teams. Too many businesses are still underprepared for the privacy landscape that’s already here. There’s a lot of good training available, I’d recommend looking at ADMA as a great independent resource in the first instance;
- Follow the “pub test”. If your tracking tactics would make a regular person uncomfortable, they probably won’t pass future regulation either.”
Marylyn Sendah, Head of Marketing, TBS Digital Labs
“In marketing, you’re often the de facto gatekeeper of data privacy. Between UTMs, attribution, automations and sequences, data privacy compliance is ever-present with every new build and decision – with or without the marketer’s explicit recognition.
“There are some indicators of compliance; if you’re pushing a platform to do something it wasn’t built to do, you’re probably on shaky ground. And my favourite sense check? If i was an informed customer, would I expect to be communicated with or targeted in this way?
“However, compliance goes far beyond these simple checks. Marketers must be aware of not only the privacy laws in their own regions, but those where platforms are storing their customer data.
“It’s a space where marketers need more training and reminders to stay mindful.
“With smarter AI tools and low-code scraping solutions becoming more accessible, it’s now much easier to build systems that collect and process data at scale. It’s a risky time for marketers when it comes to privacy, especially in teams where the instinct is to build first and ask questions later.
“You have to keep your ear to the ground because you can’t afford not to.”
Nathan Kerr, CTO & Executive Director, One Click Life
“Start by mapping exactly what personal data you collect, use, and store, because you can’t protect what you don’t know you have. Then delete anything you don’t need. The less data you hold, the lower your risk.
“Next, update your privacy policy so it’s clear, accurate, and written in plain English. Forget the legalese; your users (and regulators) want transparency.
“Make sure your team is trained. Most data breaches aren’t about bad tech, they’re about people clicking the wrong thing or sending info to the wrong place.
“And if you’re unsure? Get a privacy consultant involved early. It’s faster and cheaper to get it right the first time than to fix a breach or regulatory mess later.
“Compliance isn’t just a legal box to tick. It’s part of running a trustworthy business.”
Adam Henderson, Partner, Corporate and Commercial at Hicksons | Hunt & Hunt
“Privacy arrangements in Australia have changed significantly with the introduction of the Privacy and Other Legislation Amendment Act 2024. With some of these requirements already in effect and others being gradually introduced, it is essential for organisations to understand these changes to protect customer privacy and prevent potential reputational and financial harm to their business.
“The Act strengthens the enforcement regime, including OAIC’s power to issue direct penalties (up to $3.3 million). It introduced significant amendments that impose stricter penalties on organisations for misusing personal information, deliberately sharing data to cause harm, failing to adequately protect individuals’ data, and lacking transparency in the use of personal information within automated decision-making processes. Now, individuals can take legal action against an organisation for serious invasions of privacy. This makes compliance crucial for Australian organisations.
“To ensure your organisation complies correctly with these regulations, you could consider the following steps:
- Audit current privacy practices: Conduct a thorough review of existing data collection, storage, and processing activities to identify areas for improvement.
- Implement required security measures: Deploy technical safeguards to protect sensitive personal information from unauthorised access.
- Update privacy policies: Revise publicly available privacy statements to accurately reflect current practices and ensure compliance with legislation.
- Train staff on new requirements: Organise regular training sessions to educate employees about their responsibilities.
- Document compliance efforts: Maintain detailed records of all compliance-related activities, including audits, risk assessments, and staff training, to demonstrate accountability to regulators.
“This proactive approach will help organisations avoid penalties while building trust with stakeholders.”
Richard Taylor, Managing Director, Digital Balance
“With Australia’s strict new privacy laws now in effect, a structured action plan is the most efficient way for SMEs to ensure compliance and build customer trust. Rather than reacting to issues as they arise, a proactive approach is key.
“First, conduct a thorough privacy audit. Assess your data collection and storage practices, paying special attention to high-risk areas like AI-driven decision-making, website tracking technologies, and any data related to children.
“Second, implement privacy technology solutions. Purpose-built tools like Consent Management Platforms can streamline compliance, helping to automate transparency and manage user permissions effectively.
“Third, train your teams. Compliance is a shared responsibility. Ensure your marketing, IT, sales, and leadership teams are aligned on the law’s implications to foster a robust culture of privacy awareness across the entire organisation.
“Finally, engage with official guidance. The landscape continues to evolve, so stay informed by regularly consulting the resources provided by the Office of the Australian Information Commissioner (OAIC).
“This four-pronged approach is the quickest way to protect your customers and your business.”
Mitch Colton, Founder and Managing Director, Colton Computer Technologies
“With the new rules, every business MUST have technical defences and organisational governance in place – it’s just not an option to bury your head in the sand and hope for the best. We’re talking regular staff training, policies and procedures in place, no more sharing Excel spreadsheets of information via email or saving them to the desktop. With recent APRA changes, there’s also an expectation to understand how your suppliers approach data privacy and ensure that you choose risk-compliant third-party partners.
“Data privacy can be overwhelming, though, which is why we always recommend using a security standard or framework like SMB1001 or ISO 27001/27701. They essentially give any business a checklist for cyber resilience and a privacy-first approach.
“The recent changes place even greater emphasis on business owners to understand the data they possess, how they manage it, and whether it is adequately secured. Because at the end of the day, it’s not about if you’ll be targeted by a cyber incident, it’s about when.”
Discover Let’s Talk Business Topics
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
