IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Ps lyn nicholson sydney headshot
#
Data Protection
#
Surveillance
#
Supply Chain

Privacy resilience: Why compliance alone won’t cut it in 2025

Today
By Lyn Nicholson, General Counsel, Holding Redlich

The theme of Privacy Awareness Week 2025 – Privacy: It's Everyone's Business – is a timely reminder that protecting personal information is not just the job of privacy professionals or IT departments. It's a shared responsibility across all sectors of society. The flip side? If it's everyone's business, then it's not everyone else's business.

This means privacy can no longer be viewed as an isolated function. It must be embedded into every part of the organisation, from boardroom strategy to day-to-day decision-making. And while policies and procedures remain important, true privacy resilience is built from the ground up. It requires aligned governance, risk awareness, training and, most importantly, culture.

Traditionally, many organisations viewed privacy compliance primarily through the lens of the Office of the Australian Information Commissioner (OAIC). While the OAIC plays a key role in privacy oversight, it has limited resources and funding. That doesn't mean the risk of regulatory action is low. On the contrary – privacy and cyber risks are expanding far beyond the OAIC's remit, and multiple regulators are stepping into the space.

We are now seeing increasing regulatory convergence. As technology integrates more deeply into how we live and work – and as surveillance becomes embedded in both corporate and government systems – regulators are responding with coordinated, multi-disciplinary enforcement. Privacy is no longer siloed. It is a legal issue, a cyber issue, a governance issue – and increasingly, a financial and prudential issue.

The Australian Securities and Investments Commission (ASIC) has launched several enforcement actions against Australian Financial Services Licence (AFSL) holders for failing to meet their cybersecurity obligations. These cases often intersect with obligations under the Privacy Act, particularly Australian Privacy Principle 11, which requires entities to take reasonable steps to protect personal information from misuse, interference and loss. ASIC's court documents clearly set out what it considers "reasonable steps" – and those expectations are rising.

The Australian Prudential Regulation Authority (APRA) has also weighed in, particularly through Prudential Standard CPS 234. This standard imposes strict obligations on regulated entities to maintain information security and manage third-party risk, especially when outsourcing data handling. The implications extend across the supply chain. If your organisation handles sensitive data – or supports another business that does – you may be required to meet heightened information security obligations under contract.

There is a clear trend toward greater regulatory collaboration. Where a data breach or poor security practices raise compliance concerns across multiple regimes – privacy, financial services, corporate governance – regulators are increasingly sharing information and coordinating their response. This means businesses may be subject to investigation or enforcement not just by the OAIC, but by whichever regulator is best placed to act.

At the same time, broader societal shifts are transforming the privacy landscape. Biometric surveillance in public spaces, real-time employee monitoring, and AI-driven data profiling are becoming more common. These developments are triggering more robust regulatory scrutiny, and rightly so. Privacy is no longer just about data protection – it's a frontline issue for public trust, governance and accountability.

For business leaders, the message is clear: it's time to reassess your organisation's privacy and cyber risk posture. A narrow focus on ticking boxes under the Privacy Act is no longer enough. A privacy-by-design approach helps reduce risk, protect data, and build lasting trust with customers and stakeholders. But it also strengthens your position in a more complex regulatory environment.

At Holding Redlich, we help businesses build privacy resilience that goes beyond compliance. We work with businesses to review their risk appetite, strengthen governance frameworks, and embed privacy into everyday operations – from procurement to product development, and from frontline training to board reporting. By aligning privacy, cyber risk and technical strategy, organisations can respond more confidently to rising regulatory expectations and evolving threats.

In 2025, privacy really is everyone's business – and the most resilient organisations will be those that treat privacy not just as a legal obligation, but as a foundation for trust, reputation and long-term value.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Snyk acquires Invariant Labs to boost AI-native app security
Veeam & HPE deepen partnership to boost enterprise data resilience
Josys launches AI SaaS risk tool & boosts identity automation
Upcover unveils dedicated fintech insurance vertical in Australia
Pharmx launches Pharmacy Portal to streamline supply chain

Top stories

Meliora invests in five new generative AI startups worldwide
Ruminati expands emissions platform for advisors & producers
Agentic AI drives productivity & innovation across Australia
Milestone & Genoa launch EU-compliant AI for smart cities
Australian survey reveals risky passwords & distrust of AI