AI and data breaches force new approach to privacy

Australian businesses are under pressure to overhaul how they manage data as privacy breaches rise and artificial intelligence reshapes information risks, according to industry executives marking Data Privacy Day.

Data from the Office of the Australian Information Commissioner (OAIC) showed 532 notifiable data breaches in the first half of 2025, each incident affecting an average of more than 10,000 individuals. Privacy specialists say that volume highlights structural weaknesses in the way organisations store and govern information.

Garry Valenzisi, Vice President, Australia at information management firm Iron Mountain, said many organisations still retain large volumes of unmanaged data that increase their exposure to cyber incidents and regulatory scrutiny.

"As we enter 2026, Australian organisations face a data landscape shaped by intensifying cyber threats and ongoing regulatory scrutiny. Data Privacy Day presents a strategic checkpoint for boards and executives to demonstrate accountability and show a mature, end-to-end approach to information governance," said Garry Valenzisi, Vice President, Australia, Iron Mountain.

Drew Bagley, Vice President and Counsel, Privacy and Cyber Policy at CrowdStrike, said the relationship between privacy and security is becoming more tightly linked as data volumes grow and AI tools spread through organisations.

"Data Privacy Day is a reminder that privacy and cybersecurity rise or fall together, and those strategies must always be aligned. With AI becoming embedded across the enterprise and driving workflows, and constant data movement, we almost take for granted the new paradigm for access to and sharing of data. But real protection depends on visibility, privacy by design, and resilience that operates in real time," said Drew Bagley, CrowdStrike VP and Counsel, Privacy and Cyber Policy, CrowdStrike.

Valenzisi said recent OAIC indicators underline the link between poor information governance and rising breach risk.

"The latest indicators from the Office of the Australian Information Commissioner (OAIC) underscore the importance of this matter. In the first half of 2025 alone, organisations reported 532 notifiable data breaches, with an average of over 10,000 individuals affected per cyber incident. These trends expose a simple truth: privacy risk grows in proportion to the volume of unmanaged, unclassified, and obsolete data that organisations continue to store," said Valenzisi.

He said 2026 would mark a shift in how boards approach security.

"For corporate Australia, 2026 will be defined by organisations that move beyond perimeter security to governance across the entire information lifecycle - from creation, to secure, irreversible disposition. With unstructured data now representing the bulk of enterprise information, organisations must be able to identify what they have, where it lives, and who is accessing it," said Valenzisi.

Both executives pointed to the growing impact of AI on privacy obligations, as organisations feed more information into large language models and other systems that process sensitive content.

"The rapid convergence of AI and information governance is expanding the scope of privacy obligations, requiring organisations to manage not only where data resides, but the access provided to AI models to use, transform and derive insights from it. Without this visibility, businesses risk feeding sensitive information into large language models (LLMs), retaining private data past its lawful life, and exposing themselves during audits, litigation, or cyber incidents," said Valenzisi.

Bagley said AI adoption and constant data movement demand a renewed focus on basic disciplines such as visibility and privacy by design. He warned that organisations may underestimate how much information now flows across systems and vendors as digital projects advance.

"Data Privacy Day is a reminder that privacy and cybersecurity rise or fall together, and those strategies must always be aligned. With AI becoming embedded across the enterprise and driving workflows, and constant data movement, we almost take for granted the new paradigm for access to and sharing of data. But real protection depends on visibility, privacy by design, and resilience that operates in real time," said Bagley.

Valenzisi said boards, chief information security officers and data leaders are converging around three priority areas as they seek measurable improvements in privacy risk.

Lifecycle focus

"Three areas are emerging as priority focus points for boards, CISOs, and information leaders as organisations look to translate privacy commitments into practical, defensible action:

Information Governance & Retention: Organisations are moving toward defensible retention schedules and policy‐to‐practice execution, supported by automated retention and lifecycle controls. This shift reflects a broader recognition that privacy maturity depends on consistently reducing unnecessary data exposure.

Digital Transformation & Secure Storage: Leaders are prioritising better control, discoverability and classification to reduce data sprawl and ensure sensitive information is surfaced, protected, and governed appropriately across hybrid environments, from legacy paper archives to cloud repositories.

Defensible, Irreversible Destruction: There is growing emphasis on certified, auditable destruction of paper, media, and IT assets. As cyber risk intensifies, organisations increasingly treat the removal of redundant high‐risk data as a core security and privacy control that directly reduces their attack surface," said Valenzisi.

Reducing ROT

Industry specialists describe redundant, obsolete and trivial information, often referred to as ROT data, as a persistent source of risk and cost. They say this material can sit across legacy systems, back-up stores and personal drives long after its useful life has ended.

"This combined approach strengthens privacy posture and tackles one of the biggest drivers of organisational risk: redundant, obsolete, and trivial (ROT) data. Removing ROT decreases breach exposure, lowers storage and e‐discovery costs, and prevents sensitive information from lingering beyond its legitimate business use," said Valenzisi.

He said tighter control of ROT also links privacy work to AI strategies, because organisations need cleaner data foundations before they feed information into generative tools.

"The result is straightforward: less information at risk, a stronger compliance footing, and greater confidence for customers and regulators. It also builds the foundation for AI readiness by ensuring sensitive data is properly classified, redacted, and governed before entering any generative or analytical workflow," said Valenzisi.

Board metrics

Executives expect boards to treat information governance as a core measure of resilience and trust during 2026. They say this will require closer alignment between legal, risk, technology and business functions.

"Data Privacy Day 2026 signals a shift in expectations: privacy and resilience have become definitive board‐level metrics. Organisations that manage information across its full lifecycle, from creation, classification, retention, and secure disposition, will be best equipped to protect customers and preserve enterprise value," said Valenzisi.