Privacy protection: Leveraging tools to help make privacy everyone’s business

We are living in a data-driven era where organisations are rapidly adopting technologies such as artificial intelligence (AI), cloud computing, and data sharing platforms to unlock insights, improve performance, and gain competitive advantage. However, the vast volume of data collected, often through opaque processes, raises serious concerns about how personal information is used and protected. Information privacy acts as a crucial safeguard, offering individuals the right to control how their personal data is collected and used, as defined by Australia’s Privacy Act 1988 and the International Association of Privacy Professionals.

As the demand for data intensifies, so does the risks. Without proper safeguards such as informed consent, transparency, and the ability to correct or delete data, our personal information becomes vulnerable to harms like data breaches, algorithmic bias, and targeted cyberattacks. Reflecting on what it truly means to have control over your personal information is essential to ensuring your data is used responsibly and remains protected in an increasingly digital world.

The theme for Privacy Awareness Week 2025, ‘Privacy - It’s everyone’s business’, places the care, concern, and responsibility for the protection of information privacy in the minds of the individual. It signals the urgent need for all employees, beyond privacy professionals or IT teams, to be aware of how personal information is collected, used, stored and shared. Effective privacy protection needs to be underpinned by strong regulation, enabled people and smart technology.

Understanding the changing regulatory landscape

Australia’s regulatory environment is rapidly evolving to strengthen the rights of individuals and improve organisational accountability.

At the national level, Australia’s parliament has passed the Privacy and Other Legislation Amendment Act 2024, the first of two tranches of reforms. This has expanded the Privacy Commissioner’s (the Commissioner) investigative and enforcement powers and enables them to penalise organisations for failing to maintain information privacy and breaching the Australian Privacy Principles. The amended legislation also allows the Commissioner to now seek civil penalties for ‘serious’ interferences with privacy, rather than ‘serious and repeated’, and civil penalties have been introduced for interferences with privacy that are not serious, widening the net of potential cases that fall under their remit. The new legislation demonstrates Australia’s appetite to align more closely with global privacy regimes, such as the European Union’s General Data Protection Regulation, which is considered by many to be a leader in information privacy legislation.

At the state level, Queensland has responded to the data age by implementing the Information Privacy and Other Legislation Amendment (IPOLA) Bill 2023 (effective from 1 July 2025). The IPOLA Bill directly impacts public sector agencies, Government Owned Corporations, and councils in Queensland.

The IPOLA Bill introduces several important changes. Some of these include:

• The introduction of a mandatory data breach notification scheme, requiring the Information Commissioner and affected individuals to be informed in the event of an eligible data breach
• Implementation of the Queensland Privacy Principles, which shall replace the current Information Privacy Principles and National Privacy Principles
• Enhanced powers for the Information Commissioner, including the ability to investigate or act as an own motion in support of compliance with privacy principles and the Mandatory Notification of Data Breach scheme.

To align with IPOLA, organisations are, among other things, encouraged to conduct an audit of the information that they hold, identify and collaborate with business areas within the agency, and update their policies and procedures to reflect the regulatory changes.

These developments underscore the same message - organisations need to use information privacy as a map to guide their systems, processes, and culture to ensure that data is not misused.

The challenge: Locating and controlling personal information and data

Despite growing regulatory pressure, many organisations still struggle with a fundamental barrier to privacy compliance, which is data visibility. Data visibility is an organisation’s ability to identify, access, track, and view its data throughout the information lifecycle, from initial collection through to disposal and destruction. The issue is that personal and sensitive data is often dispersed across multiple systems including cloud platforms, legacy file shares, archive folders, emails, and third-party apps, usually with limited classification, tagging or retention logic applied.

This data sprawl introduces several risks such as:

• Unintentional exposure of personal data due to lack of access controls
• Inability to respond quickly to data breach investigations or subject access requests
• Retention of data beyond lawful or necessary limits, increasing liability.

Without the ability to discover, classify, and manage information effectively, organisations are left vulnerable to non-compliance and reputational damage. As the volume and complexity of data increases, manual controls are no longer enough. Automation and intelligent data governance tools are essential to meet both compliance and operational demands.

Using eDiscovery to protect personal and sensitive information

One of the most powerful ways organisations can respond to the challenge of data visibility is through eDiscovery. This is the process of identifying, reviewing, and managing digital information for compliance, litigation, or investigation purposes.

Microsoft Purview, part of the Microsoft 365 compliance suite, offers a mature, integrated eDiscovery capability that enables organisations to:

• Identify personal and sensitive data across Microsoft environments
• Apply filters and search criteria to isolate specific types of information (e.g. Medicare numbers, tax file numbers, keywords, data subject names)
• Review and tag content, identifying if it falls under a data breach or privacy risk
• Apply actions such as placing content on hold, exporting results for review, or triggering remediation activities.

Here is how a practical eDiscovery process takes place using Microsoft Purview:

1. Initiate an eDiscovery case: A privacy officer or information manager identifies a use case for investigation.
2. Define the search parameters: Search terms include known identifiers (e.g. names, ID numbers, emails), content locations (Teams, SharePoint, Outlook), and date ranges.
3. Visualise results: Take the log files generated by Microsoft Purview and use PowerBI to digest and analyse the findings. Review items for relevance and sensitivity.
4. Prioritise results: In line with other organisational commitments, prioritise results onto a roadmap for planning and implementation.
5. Take action: Consolidate findings for legal or audit teams and create initiatives to help address findings and establish guiderails to ensure changes persist into the future.

Purview also supports automated labelling and classification, meaning files containing personal or sensitive data can be tagged in real time, helping prevent improper access or sharing before a breach occurs.

For organisations subject to IPOLA or broader privacy reform, Purview’s eDiscovery function enables:

• Rapid and defensible incident response
• Evidence gathering for mandatory breach notifications
• Proof of compliance with access, correction, and deletion rights
• A foundation for policy-driven data lifecycle management.

Future outlook

As the regulatory environment matures and data volumes grow exponentially, organisations need to move beyond reactive privacy responses. Instead, they must embed proactive data governance and privacy by design across the business.

Our recommended strategies for proactive data governance include:

1. Conducting a data discovery and mapping exercise
   Understand what personal information you hold, where it resides, and how it flows across systems. Use automation to maintain this visibility over time.
2. Establishing cross-functional governance
   Privacy is not an exclusive legal or IT concern. It involves risk, compliance, HR, and business units in developing privacy protocols and reviewing eDiscovery processes.
3. Leveraging existing platforms
   If your organisation uses Microsoft 365, you may already have access to Microsoft Purview features. Use them to implement labelling, retention, and eDiscovery functions with minimal additional overheads.
4. Educating your people
   Ensure that staff know how to handle personal information appropriately as the first line of defence. Encourage a culture of accountability through training, internal campaigns, and privacy champions.
5. Monitoring legislative changes
   Stay informed about updates to the Privacy Act, for example, state-based reforms like IPOLA and emerging global standards. Adjust your processes and tools to remain aligned.
6. Investing in automation
   Manual privacy compliance cannot be scaled. Use AI-driven tools like Microsoft Purview’s auto-labelling and data loss prevention policies to reduce human error and increase efficiency. Ensure continuous reporting and monitoring so that the approach continues to work for your organisation.

In 2025 and beyond, privacy protection is not just a legal requirement. It’s a critical part of ethical, responsible, and sustainable digital transformation. As Queensland’s IPOLA legislation and national privacy reforms reshape expectations, organisations must be ready to demonstrate how they protect personal information in practice.

Tools like Microsoft Purview are no longer optional - they are essential enablers of compliance, transparency, and trust. By integrating capabilities such as eDiscovery into day-to-day processes, organisations can respond confidently to breaches, inquiries, and audits.

Privacy is everyone’s business, and with the right tools and mindset, protecting it can become everyone’s responsibility too.

How BDO can help

Our digital team is passionate about helping people and organisations find, protect, and realise the value of their information and data.

BDO supports clients on their personal and sensitive information discovery journey by leveraging Purview. To learn more about how BDO can support your organisation’s privacy protection and data governance needs, contact our digital team.