The industry speaks: Data Privacy Day 2025

The CDR empowers consumers by giving them greater control over their personal data, allowing them to share it securely with trusted third parties. This is especially important for sectors like non-bank lending (NBL), where the secure sharing of financial data is critical for assessing creditworthiness and offering tailored financial products in circumstances where their licensing structure does not permit access to credit information freely available to those in the banking sector. However, this shift also places a heightened responsibility on organisations to ensure that data is handled with the utmost care and transparency. For businesses, embracing the principles of data privacy is essential to building trust with consumers and ensuring that they can take full advantage of the opportunities that the CDR presents.

Organisations that prioritise data privacy will not only meet the regulatory demands of the CDR but will also establish a competitive edge by fostering deeper relationships with their customers. Businesses need to navigate the evolving data privacy landscape and ensure that the management of consumer data is secure, transparent, and aligned with the expectations of today’s empowered consumers.

Monica Landen
Chief information security officer at Diligent

Data privacy is no longer just a checkbox on a compliance list – it is a cornerstone of trust and a competitive differentiator in the digital age. Safeguarding data is a continuous journey, not a one-time event, and it requires a deep, strategic commitment across an entire organisation.

VIEW ALL

With the rapid rise of artificial intelligence, global espionage, ransomware, and malware, protecting corporate and consumer data has never been more critical. Data Privacy Week is an opportune time for organisations to both reflect on their current practices and strengthen their commitment to data privacy and security.

The theme for 2025, “Taking Control of Your Data”, is particularly relevant as we navigate the complexities of data governance. Compliance with regulations like GDPR is only the starting point – organisations must also foster a culture of privacy and security that spans from the C-suite to frontline employees. Those who embrace this mindset will be better positioned to manage risks, build stakeholder trust, and drive innovation.

However, the work doesn’t end with Data Privacy Week. The evolving cyber security landscape urges organisations to continually innovate and adapt. To stay ahead of emerging threats, companies need the right insights, tools, and frameworks to build lasting resilience.

James Greenwood
Regional vice president, technical account management, at Tanium

Data privacy needs to start with knowing how much data exists within the business, where that data lies, and the access points to that data from the outside. Unfortunately, the majority of businesses don’t have all the answers to these fundamental questions. In fact, Tanium’s research shows 94 per cent of organisations have 20 per cent of their endpoints unknown, leaving a gap of understanding as to the data that could be on those devices. Every unknown endpoint presents an enormous risk to an organisation, but the solutions are not out of reach.

It’s easy for corporate and government leaders to get overwhelmed by the “data dilemma” by trying to address the most complex data, security, and privacy issues all at once. In reality, getting the basic processes and fundamental operations in place will be an organisation’s strongest defence and weapon in securing its data. For example, the Essential Eight is a government framework that should be used by all businesses to ensure they are following cyber security and privacy best practices.

Don’t get distracted by the latest industry trend or news headlines – whether it’s AI, new social media regulations, or the most recent business to be named and shamed for poor privacy practices – and focus instead on upskilling staff, gaining reliable and consistent visibility of all endpoints, and processes that foster good, basic cyber hygiene.

Olly Stimpson
Senior security strategy adviser ANZ at CyberArk

As Data Privacy Day approaches, discussions often lean towards pessimism, with increased cyber threats and exposed data dominating the narrative. However, it’s important to recognise the positive strides made in Australia throughout 2024, building the right foundations to protect data privacy with key privacy reforms passing through Parliament and a reduction in the number of cyber crimes reported by the ACSC. We should, therefore, all be encouraged that we are forging the right path.

Nonetheless, the work is far from over, and this year’s theme, “Take Control of your Data”, is a powerful reminder that every individual and organisation has a role to play in protecting privacy. True control requires action, vigilance, and collaboration from all of us.

It’s essential that business and cyber leaders continue to prioritise proactive measures to safeguard data privacy as the challenges ahead are formidable. The ever-expanding volumes of data, rapid advancements in technologies like AI, and, of course, increasingly sophisticated threat actors demand unwavering focus and action.

Identity security is a critical pillar of data privacy. Deploying robust workforce identity management solutions and protecting user credentials are essential steps in minimising risk and preventing breaches. By prioritising identity security, organisations and individuals alike can take meaningful strides towards truly taking control of their data.

Darren Guccione
CEO and co-founder of Keeper Security

As Data Privacy Week approaches from 27 to 31 January, the topic of data privacy continues to dominate cyber security discussions, especially in the wake of Singapore’s Accounting and Corporate Regulatory Authority (ACRA) incident. This episode allowed for the accidental disclosure of full national identification numbers through a search function on its new business portal. With a full review set for completion in February, this incident serves as a reminder for businesses to reassess their data protection measures – especially when it comes to privileged accounts, which are often the most valuable targets for cyber criminals.

In an era when digital transformation drives business strategies, ensuring robust data privacy practices is more critical than ever. ACRA’s lapse underscores the need for businesses to reassess their data protection measures – particularly when it comes to protecting privileged accounts, which are often the most valuable targets for cyber criminals.

Sam Salehi
Managing director ANZ at Qualys

On Data Privacy Day, we are reminded of the critical importance of safeguarding personal information and empowering organisations to protect their digital assets. In an era where data is a key currency, it’s vital to prioritise transparency, trust, and the responsible use of information to foster a secure digital environment for all Australians.

As technology adoption accelerates, organisations face growing challenges, including misconfigurations, insider threats, and data leakage. These risks often arise from implementing new technologies without adequate security controls and a strong architectural foundation. The path to effective data security lies in striking a balance between innovation and robust risk management practices. By embedding security into the core of business strategies, organisations can mitigate threats and build a safer digital future.

Patrick Harding
Chief product architect at Ping Identity

Data Privacy Week serves as a crucial moment to reflect on the evolving digital security landscape and the pressing need to prioritise privacy in our interconnected world. With 87 per cent of consumers expressing high or moderate concern about identity theft or fraud – a staggering 24 per cent increase from 2023 – it’s clear that confidence in the digital ecosystem is eroding. This growing apprehension highlights the urgent need for businesses to protect personal information and restore trust in online interactions.

At the core of consumer expectations lies a strong demand for security, with 78 per cent citing it as their top concern regarding digital experiences. Security and privacy are no longer just technical requirements – they are fundamental to building customer trust and loyalty. Without robust measures to safeguard data, businesses risk not only reputational damage but also the erosion of consumer confidence.

Decentralised identity management offers a transformative solution to this challenge. By empowering individuals to control their data and reducing reliance on centralised repositories, it minimises the attack surface for cyber criminals while enhancing user privacy. As businesses embrace privacy-by-design principles, decentralised identity should play a pivotal role in their strategies. By committing to these principles, organisations can build lasting trust and establish themselves as leaders in the era of digital privacy.

Keir Garrett
Regional vice president, Australia and New Zealand, at Cloudera

Many businesses view data privacy as a hindrance to growth. But let’s be real – balancing the benefits of analytics with respecting individual privacy is crucial, especially in today’s dynamic technology landscape. This goes beyond just complying with the Australian Privacy Principles (APPs) and the Office of the Australian Information Commissioner (OAIC) regulations; it’s about giving customers and users genuine control over their data.

Recent cyber security incidents show Australians care deeply about data privacy, with breaches severely damaging brand reputation and trust.

The good news? Businesses can manage data responsibly with a secure-by-design data management platform to accelerate enterprise AI. This means integrating privacy measures into IT and business processes from the start, rather than as an afterthought. Whether purchasing, selling, or collecting data, businesses should know what personal information they have, how it was obtained, where it’s stored, how it’s used, who has access, how it’s secured, and when it should be deleted. In essence, it’s about safeguarding data throughout its entire life cycle, protecting both business interests and individual rights.

George Moawad
Country manager – Oceania, at Genetec

While it is important to ensure you’re collecting and handling data by the book, organisations need to put robust security measures in place to protect that data from unauthorised access, loss, or breaches.

Indeed, falling foul of Australia’s data protection regulations has become something organisations can ill afford to do. With the OAIC increasingly adopting an enforcement posture, compliance needs to be a high priority.

However, when designing a comprehensive data protection and privacy strategy, it’s best practice to aim higher than the current legislative requirements.

One way to do this is by adopting a privacy-by-design approach – centring on the principle that respect for individual privacy is the foundation of responsible and innovative design. By proactively embedding that into IT systems, networked infrastructure, and business practices from the first line of code to third-party vendors.

Ben Chamlet
Senior director for solutions engineering, APJ, at Twilio

Data Privacy Week presents a great reminder for organisations to reassess their customer privacy policies and prioritise transparent data collection in their marketing strategies. Technologies like AI are empowering brands to collect and interpret vast amounts of customer data across different touchpoints and build incredibly detailed unified profiles for each customer. While this helps organisations better understand their customer base and deliver incredibly personalised communications, transparency in data collection and retention policies is crucial. Increased regulatory pressure for transparency in AI usage will aid adoption and reduce consumer distrust.

According to our State of Customer Engagement report, six in 10 Australian consumers say protecting their data is the top way for brands to earn their trust. Globally, nearly half (49 per cent) would trust a brand more if it disclosed how customer data is used in AI-powered interactions. The takeaway? Organisations must be transparent about their data policies, explaining retention periods, purposes, and security measures. They must also address the ethical concerns surrounding invasive third-party cookies and make the transition to first-party data collection. First-party data is consensually given to brands by their customers or generated by their interactions with them. It is, therefore, more ethical to collect and provide the most valuable insight when building personalised experiences. This approach benefits both organisations and consumers, fostering trust and understanding.

Gary Barlet
Public sector CTO and principal solutions architect at Illumio

January 28 is Data Privacy Day. And it comes at an appropriate time.

Just weeks ago, the US Treasury revealed a breach that exposed sensitive personal data, including 3,000 unclassified files.

A new year with the same old story of massive data breaches and leaked personal information. Yet organisations and agencies are taking the same security measures year after year.

We need to fundamentally rethink how we protect the data that powers our lives, starting with zero trust as the foundation.

And if there’s one thing this year’s Data Privacy Day reminds us, it’s this: it’s time to stop talking about securing data and start actually doing it.

Anthony Spiteri
Regional CTO, APJ, at Veeam

Data Privacy Day highlights the urgent need for enhanced data security measures, particularly with sectors such as healthcare, which hold large quantities of personal data, continuing to be highly vulnerable. Last year, the healthcare industry accounted for a concerning 18 per cent of ransomware attacks, followed by consumer services at 14 per cent. Ransomware remains a significant threat, affecting 40 per cent of small and medium-sized organisations, and as threats continue to evolve with new technologies, merely increasing cyber security budgets is insufficient.

Organisations must implement proactive measures, such as robust data encryption, strict access controls, and comprehensive employee training on data security. Businesses should also invest in real-time tracking systems that can identify vulnerabilities, outdated systems, exposed sensitive data and suspicious behaviour that may result in data leaks. Let’s use this day as a reminder to strengthen our strategies for safeguarding data, enhancing privacy practices, and fostering a culture of security awareness to protect sensitive information.

Greg Clark
Director of product management, data security at OpenText Cybersecurity

This Data Privacy Week underscores the urgency of embracing an organisation-wide privacy-first approach to shift away from complexity, ensure compliance, and protect data from persistent cyber attacks.

What all organisations can do: Adopt clear, company-wide policies that ensure the secure use and handling of information. This is crucial with the rapid adoption of GenAI tools. A recent OpenText survey found only 27 per cent of employed respondents use privacy tools and settings to protect workplace information when using GenAI.

What data privacy and security teams should do: At a practitioner level, simplifying security stacks can help protect information by reducing fragmentation, improving cross-team communication, leveraging contextually relevant threat insights, and increasing transparency within data and other business systems. It also allows them to unify threat detection and response, data discovery and protection, modernising data privacy, and strengthening privacy and security postures.

What employees should do: Individual employees play a critical role in protecting data. Phishing scams and insider threats are only getting more sophisticated. Whether a large enterprise or a small business, education and awareness across all departments need to be layered on top of AI-powered technologies that detect threats.

Steve Bray
Vice president, Australia and New Zealand, at Cloudflare

In 2024, Cloudflare mitigated 21.3 million DDoS attacks, a 53 per cent increase from 2023. Among these was the largest-ever recorded attack, peaking at 5.6 terabits per second and targeting critical industries like healthcare and finance. Such attacks not only disrupt services but also create windows of opportunity for malicious actors to exploit weakened defences and access sensitive data​​.

To combat these risks, businesses need robust, proactive measures. Automated DDoS mitigation, zero-trust architectures, and AI-powered security systems are critical in ensuring resilience.

This Data Privacy Week, one thing is clear: service downtime is not just an operational inconvenience – it is a direct threat to data privacy. By proactively securing systems and investing in resilient defences, businesses can protect their sensitive information and maintain customer trust. Ensuring uptime is not just about staying online; it is about safeguarding the integrity of your data and the reputation of your organisation.

Pieter Danhieux
Co-founder and CEO of Secure Code Warrior

Building trust within your customer base should be a key pillar in every organisation, and respect for their data should be part of everyday operations. In 2025, there are no excuses for lax data handling, insecure processes, or databases that are not fortified and maintained with the highest levels of security awareness.

Being trusted with customer data is a privilege, and we owe it to those who have faith in us to ensure everything from patching and system maintenance to developer security skills are continuously assessed, improved and built upon to withstand the ever-changing onslaught of threats from attackers. Organisations can and should play a defining role in preventative security measures contributing to a safer digital world.

Adrian Covich
APJ vice president of systems engineering at Proofpoint

Data Privacy Day 2025 highlights a critical challenge: the AI data privacy paradox. While generative AI offers immense potential, it also introduces significant data loss risks. Inputting confidential information or personally identifiable information (PII) into these systems is like handing attackers a loaded weapon, and businesses are understandably worried. Proofpoint’s 2024 Data Loss Landscape Report reveals that 40 per cent of Australian CISOs identify GenAI tools as a top organisational risk, underscoring the need for robust data protection strategies.

In order to protect themselves, organisations must take a human-centric approach to cyber security to defend their data. This approach brings together an understanding of data classification, user intent and threat context, and applies it consistently across all communications channels, including email, cloud, endpoint, web and GenAI tools. This also means guiding employees with relevant, in-the-moment interventions and personalised learning paths based on an individual’s unique risk profile to cultivate a behaviour change, where everyone understands the risks and plays a role in safeguarding the organisation.

Morey Haber
Chief security advisor at BeyondTrust

On Data Privacy Day, we need to look past regulatory compliance checklists and business policies to secure personal information. Real data privacy is the responsibility of everyone who embraces a philosophy of individuality and recognises that, ultimately, we are responsible for ourselves and how much information we share on the internet and what is known about our identities due to the services we consume. This goes beyond encrypted messaging and secure servers; it extends to a culture that recognises absolute privacy is no longer truly achievable everywhere.

Everyone from birth to death has some form of electronic footprint. Governments, corporations, and citizens each play a pivotal role in securing that footprint, and it is up to individuals to decide how much they share (unintentionally or voluntarily). It is up to all of us to read the fine print of privacy policies (not just click Accept), enable two-factor authentication, and stay aware of phishing tactics and social engineering schemes that enable threat actors to harvest our information beyond what the platform or service stores themselves.

Gary Savarino
Identity strategist for APAC at SailPoint

On Data Privacy Day, I want to emphasise the critical need for organisations to fundamentally shift their approach to cyber security as technology and AI continue to evolve. With most cyber incidents originating from compromised credentials, it is clear that traditional security measures are no longer sufficient. To more effectively protect themselves and the data they hold, businesses should adopt next-generation identity security solutions and deploy a unified and integrated identity security approach – one that addresses all identities, including non-employees and non-human entities, across every application and environment.

This means moving away from siloed systems and instead centralising identity management to gain complete access visibility, enforce cohesive control policies, and secure data at scale. Automation and machine learning are key to this transformation, enabling organisations to proactively address vulnerabilities and respond to threats with speed and improved precision.

By taking these steps, businesses can strengthen their defences and better safeguard sensitive data.