Dealing with data risk

Despite the risks, an alarming 63% of respondents reported that organisations often only start addressing data risk management and uplifting data governance after experiencing a cyber incident. More concerning is that this rate has risen from 58% in the past 12 months, reflecting a broader trend observed by the HSF Kramer team.

Heather Kelly notes the team recently coordinated several data governance projects, of various levels of complexity, for clients spurred into action following disruptive and distressing attacks on themselves or their competitors. “Even though the public is accustomed to hearing about cyber attacks in the news, there is a sense that the public, and potentially regulators, will not be as forgiving when the next incident impacting their sector rolls around. Good data governance is now a critical part of cyber risk management,” she said.

Furthermore, the survey found that while 85% of respondents reported their organisation had taken steps to improve data governance over the past year, approximately a third of respondents remained concerned that their data management practices were inadequate.

Kaman Tsoi, HSF Kramer privacy specialist and Special Counsel, said tackling data governance was a “daunting task” for some organisations, given the vast amounts of data that organisations hold in 2025. Data mapping and audits can also be cost prohibitive. “If you step back and look at the totality of what you're trying to achieve as part of a data audit, that can scare organisations off. That’s why we work hard to support clients by breaking the task up into smaller, more achievable tasks. You need to start somewhere, and it can help to approach things iteratively,” Tsoi said.

In a positive sign, however, Emily Coghlan, a Partner in HSF Kramer’s Digital Legal Delivery practice, said she had experienced an uptick in the number of clients seeking to unpick and map their data footprint, including data flows to third parties. “There’s been a rise in work around information governance. That means organisations are looking much earlier on, before a breach occurs, as to where their data sits. They’re also considering questions like: What does that then look like from a redundancy, resilience and information security perspective? Does that meet our data retention and privacy obligations?” she said.

It is possible this interest has been spurred on in part by recent changes in domestic privacy regulation. This includes the introduction of a new tiered penalty regime under the Privacy Act, which provides the Office of the Australian Information Commissioner more opportunities to pursue ‘lower-order’ privacy breaches, and clarification that under the Australian Privacy Principles ‘reasonable steps’ – in relation to obligations to secure personal information – includes technical and organisational measures.

Christine Wong, HSF Kramer Partner and specialist in regulatory investigations and enforcement, said data risk was top of mind for corporate Australia due to the long tail of legal risks it can involve. “The understanding of the level of risk associated with cyber security has certainly heightened – regulators like ASIC, APRA and OAIC are looking at considering enforcement from a range of angles (sector specific laws, privacy, prudential standards, directors duties). They’re actively taking on significant cases. The financial implications of an enforcement action are more acute with increased civil penalties, and the ever present risk of class actions,” Wong said.