From privacy intent to defensible data action

Article
Published: 

For many organisations, the privacy challenge is no longer understanding the law. It is about demonstrating, with evidence, that personal information is managed appropriately across increasingly complex data environments. Australian organisations are operating in an environment of increasing privacy scrutiny, higher penalties, and rising expectations around accountability. While most leaders understand their obligations under the Privacy Act 1988 (Privacy Act), the challenge is shifting from defining those obligations to demonstrating, with evidence, that they are being met in practice.

Beyond Privacy Awareness Week, many organisations are reassessing whether their privacy programs can withstand that scrutiny. This scrutiny comes not just from regulators, but also from customers and boards.

Increasingly, regulators, customers, and boards are not just asking what policies exist, but how organisations can show that personal information is being actively managed. This includes collection and use, through to security, retention, and reduction.

The Australian Privacy Principles (APPs) set clear expectations across the full lifecycle of personal information, including how it is collected, used, disclosed, and governed. In practice, however, meeting these obligations consistently depends on a common capability: the ability to understand and control how personal information is managed across complex data environments.

While our previous article explored why understanding your data is critical, this article focuses on what organisations must now demonstrate and how to make privacy obligations operational in practice.

The broader privacy obligation – and where it breaks down

Under the Privacy Act, organisations are expected to manage personal information in a way that is transparent, purpose-driven, and accountable. This includes:

  • Collecting only personal information that is reasonably necessary for a defined purpose
  • Clearly informing individuals about how their information will be used
  • Limiting use and disclosure to that purpose, unless an exception applies
  • Maintaining the accuracy and quality of personal information
  • Providing individuals with access to, and correction of, their information
  • Taking reasonable steps to secure information and reduce unnecessary exposure.

While these obligations are well understood at a policy level, they are increasingly difficult to operationalise in complex, data-rich environments.

These obligations are interconnected. Weakness in one area often flows into others. For example:

  • Over-collection creates excess volume that becomes harder to manage and secure
  • Poor visibility limits the ability to restrict use or respond to access requests
  • Inaccurate or duplicated data increases both operational and privacy risk
  • Uncontrolled sharing introduces challenges around disclosure and oversight.

In practice, these issues are often driven less by intent and more by a limited line of sight into how personal information is created, stored, and used across the organisation.

Privacy risk is not solely a policy problem for many organisations. It is an operational, data management and governance challenge.

Why privacy risk often hides in plain sight

This breakdown is most evident in how data accumulates and is managed day-to-day.

Across our work in data governance, privacy, and cyber resilience, we often see organisations holding far more personal information than they realise. This data sits across cloud platforms, collaboration tools, file shares, SaaS applications, and legacy systems, often accumulating quietly over years as teams create, copy, and share information.

It is not just a retention issue. It often begins earlier in the lifecycle when:

  • Personal information is collected beyond what is strictly necessary
  • Information is duplicated or repurposed across systems
  • Data is retained indefinitely without a clear justification
  • Access expands over time as teams collaborate and systems integrate.

When organisations rely on manual inventories, periodic reviews, or point-in-time confirmations to understand where personal information resides, privacy risk becomes difficult to manage. Data volumes change faster than review cycles can keep up, particularly in unstructured environments where files are constantly created, duplicated, and reused.

The result is a growing gap between privacy obligations on paper and an organisation’s ability to demonstrate compliance in practice. When regulators, customers or boards ask fundamental questions about the type of personal information an organisation holds, and where it is stored, many can struggle to answer with confidence.

Why APP 11 becomes the operational pressure point

Australian Privacy Principle 11 (APP 11) requires organisations to take reasonable steps to protect personal information and to destroy or de-identify it when it is no longer needed, unless retention is required by law or forms part of a Commonwealth record.

While this is only one component of the Privacy Act, it is where many broader obligations become tangible for organisations. The requirement to ‘destroy or de-identify’ brings into focus a set of practical challenges:

  • Can the organisation confidently identify all locations where personal information is stored?
  • Can it distinguish between data that must be retained and what is no longer required?
  • Can it apply consistent, auditable actions across diverse systems and data types?
  • Can it demonstrate these decisions if challenged by regulators, customers, or boards?

These questions are increasingly being asked not only by regulators, but also by customers and stakeholders who expect organisations to manage their information responsibly.

Privacy compliance is now an evidence challenge

APP 11 does not require organisations to remove all personal information. It requires them to take reasonable steps to protect it and to defensibly destroy or de-identify information that is no longer needed. Regulators now expect organisations to demonstrate the steps they have taken, not just state that policies exist.

Regulators are placing greater emphasis on what organisations can substantiate in practice, particularly in data breach scenarios.

Under Australia’s Notifiable Data Breaches scheme, organisations must quickly assess whether a breach is likely to result in serious harm and notify affected individuals and the Office of the Australian Information Commissioner where required. Without a clear understanding of what personal information was involved, where it was held, and how it was accessed, response timelines and confidence can quickly erode.

Similarly, responding to individual rights (such as access or correction requests) requires organisations to locate and assess relevant data in a timely and complete way.

These expectations reinforce a simple principle. Organisations must be able to evidence how personal information is known, controlled, and reduced over time.

From policy to practice: privacy focused data discovery

Moving from policy to practice starts with governance and visibility, but it is enabled at scale through technology.

Privacy focused discovery starts by identifying personal and sensitive information across both structured and unstructured data environments.

Rather than relying on document titles or system-level assumptions, organisations use automated approaches to detect and classify information based on content and context.

Effective discovery goes beyond simple keyword searches. It uses pattern-based and machine learning techniques to identify the types of personal information that carry risk under Australian law, including combinations of data that become more sensitive when held together.

Platforms such as BigID help organisations achieve a clearer, current view of sensitive data and reduce hidden privacy risks. This includes identifying duplication, overexposure, and higher-risk data combinations that may not be visible through traditional approaches.

This provides a more accurate and current view of the organisation’s data landscape and enables more informed decision-making across the privacy lifecycle, including:

  • Reducing over-collection by understanding what is already held
  • Supporting appropriate use and disclosure by identifying sensitive data
  • Improving data quality by highlighting duplication and inconsistency
  • Enabling faster, more complete responses to access requests.

Many organisations begin with a defined scope, such as high-risk repositories or systems supporting AI initiatives, and expand as capability matures.

Making destroy and de-identify obligations operational

Discovery alone does not satisfy APP 11. Value is realised when organisations can act on what they find in a safe, controlled, and auditable way.

Once personal information is visible, organisations can assess whether it is still required, whether retention obligations apply, and what remediation action is appropriate. In practice, this often includes a mix of:

  • Defensible deletion of redundant, duplicated, or stale personal information
  • De‑identification or obfuscation of data that must be retained but does not need to remain identifiable
  • Restriction of access where oversharing creates unnecessary exposure
  • Escalation of high-risk findings to data owners with clear accountability.

Technology-enabled workflows, including those supported by platforms like BigID, help organisations apply consistent actions, capture decisions, and maintain audit evidence at scale.

Continuous privacy controls, not point-in-time clean-ups

Many organisations still approach privacy remediation as a project or periodic clean-up exercise. While this can reduce risk in the short term, it rarely keeps pace with how data is created and reused across modern digital environments.

A more sustainable approach treats privacy discovery and remediation as an ongoing operating capability. This may involve a mix of scheduled scans, continuous monitoring, and workflow based remediation that allows actions to be tracked, reviewed, and evidenced.

For privacy teams, this significantly reduces reliance on manual effort and strengthens confidence in compliance reporting.

This shift supports not only APP 11 compliance but the broader expectations of transparency, accountability, and data stewardship under the Privacy Act.

Laying the foundation for responsible AI

AI systems depend on large volumes of data, often drawn from across the organisation. Without clear controls, organisations risk exposing sensitive information, embedding inaccuracies, or breaching consent and purpose limitations.

By establishing a clear understanding of where personal and sensitive data resides and applying rules around how it can be used, retained, or de-identified, organisations can create AI-ready datasets that balance innovation with compliance.

This does not remove risk, but it allows organisations to better understand and manage how data is used in AI-driven environments.

The question leaders should be asking

For many organisations, the question is no longer whether a privacy policy exists. It is whether the organisation can demonstrate, with confidence, that personal information is known, governed, and responsibly reduced over time.

More broadly, organisations should be able to show that personal information is collected for a defined purpose, used and disclosed appropriately, and maintained in a way that supports accuracy, access, and accountability.

APP 11 makes it clear that holding data ‘just in case’ is no longer defensible. Across the Privacy Act, expectations are shifting toward personal information being actively managed, not passively accumulated.

How BDO and BigID can help

BDO’s approach to data governance is advisory-led. We start with risk, regulation, and operating model considerations, then work with organisations to strengthen visibility, accountability, and control in a way that is practical and sustainable.

Through our partnership with BigID, we combine our advisory approach with technology-enabled data visibility and control, helping organisations translate privacy obligations into practical, measurable action.

This includes moving from fragmented or manual processes to more consistent, evidence-based data management practices that support privacy, cyber, and broader regulatory obligations.

If your organisation is reviewing how well its current data governance model reflects today’s data landscape, BDO’s digital specialists can help you identify where risk sits today and prioritise the actions that will have the greatest impact, whether as a one-off review or as part of a longer-term governance program. Contact our team to find out more.

Key takeaways

Privacy compliance is shifting from policy to evidence‑based accountability
  • Organisations are increasingly expected to demonstrate, with clear evidence, how personal information is managed across its lifecycle. Regulators, boards and customers are focusing less on policy existence and more on whether privacy practices can be substantiated in practice.
Data visibility and control are critical to managing privacy risk
  • Privacy risk often arises from limited visibility over where personal information is stored, how it is used and who can access it. Effective data discovery and classification across structured and unstructured environments enables organisations to manage over‑collection, duplication and uncontrolled sharing.
Ongoing data governance is essential to meet APP 11 and support AI readiness
  • Australian Privacy Principle 11 requires organisations to protect personal information and defensibly destroy or de‑identify data when no longer needed. Moving from one‑off remediation to continuous monitoring, controlled action and auditable workflows strengthens compliance and supports responsible AI adoption.

Authors

Subscribe to receive the latest insights.

Filter by: