Data & Privacy

Data is perhaps the single most important asset for organisations as they continue to innovate and grow

Companies therefore require a careful and structured approach to the governance and protection of that data.

But managing data is complicated, with high psychological and regulatory risk hurdles. Until recently, the standard legal approach to the management of data has been to focus more on compliance and legal challenges than on the benefits and opportunities data can offer.

Streamlining your practices and unlocking the value in your data is key. 

How we can help

Our expert team can work with you to navigate the complexities of data use – enabling ethical, yet commercially focused, data practices – under the microscope of an increasing cadre of regulators.

We also step in when things go wrong, by helping to manage the crisis, engagement with regulators and those affected, and helping to sustain your company value over the long term.

Privacy and regulatory advice

The rapidly changing regulatory landscape is making it increasingly difficult to navigate the complex patchwork of data regimes. 

How can we help?

Our team advises on:

  • privacy and data compliance across all aspects of the data lifecycle – from creation, collection, storage, security, use, exchange and commercialisation, to retention and de-identification or disposal;
  • privacy, surveillance, telecommunications interception, direct marketing, telemarketing and spam regulation;
  • sector-specific regimes, such as the consumer data right, security of critical infrastructure, CPS 234 and health laws; and
  • consumer data issues, including complaints, personal information access requests, and misleading or deceptive representations regarding data handling practices.

We also conduct privacy audits, privacy impact assessments and assist with business-wide compliance uplifts.

Regulatory engagement, investigations and disputes

Regulators are increasingly scrutinising data handling practices and using their expanding enforcement arsenal to hold organisations to account in unprecedented ways. 

How can we help?

  • to responding  to enquiries from the Office of the Australian Information Commissioner (OAIC), the Australian Prudential Regulatory Authority (APRA), the Australian Competition and Consumer Commission (ACCC), the Australian Financial Complaints Authority (AFCA), the Australian Communications and Media Authority (ACMA), the Australian Securities and Investment Commission (ASIC) and the Foreign Investment Review Board (FIRB);
  • in responding to formal investigations, including coordinating responses across multiple jurisdictions;
  • by negotiating enforceable undertakings, assisting with conciliations, making submissions on determinations, declarations and directions, and lodging appeals to the Administrative Appeals Tribunal (AAT);
  • negotiating data and security FIRB conditions;
  • in responding to information and document production requests; and
  • in resolving third party claims and litigation.

We can also act as an independent expert on compliance with regulatory demands, response strategy and further risk mitigation.

Data governance, data commercialisation, AI and ethics

Data is facilitating the creation of new business models, and it has opened the door to the increasing use of artificial intelligence (AI) and other automated decision-making tools. 

An effective data governance framework is vital to ensuring that data assets are managed and automated decisions are made in a way that maximises value while also being compliant and ethical.

How can we help?

Our team helps design and implement data governance measures across all aspects of the data lifecycle. Whether you are looking to design and roll out a data strategy or whole-of-business best practice data governance framework, or simply to streamline or remediate specific processes, our experts can work with you to:

  • assess and report on current data handling practices;
  • develop data governance processes and tools, including by documenting roles and escalation pathways, and advising on processes to manage data retention and deletion, data classification and engagement with third parties;
  • monitor compliance with your data governance framework and remediate identified gaps;
  • develop ethical data handling and AI principles;
  • operationalise and embed your data governance framework;
  • train staff, including executive teams, boards and data leads;
  • design data use cases and structures to enable the effective and compliant collection, matching and exchange of data to derive customer insights using the latest data science practices and technologies; and
  • negotiate data sharing arrangements.

Our experts also advise a number of innovative global and local high-growth companies operating in the data industry.

Data in M&A

Data opportunities are playing an increasing role in mergers and acquisitions, with a particular focus on the data-rich assets of non-data businesses and data-driven deals attracting huge valuations. However, these transactions also involve a number of unique risks capable of causing significant value erosion.

How can we help?

Our experts can help navigate the data issues that arise in the context of mergers, acquisitions, demergers and investments, to help maximise value in these transactions.

For sellers, this involves helping to 'get your house in order' in advance of the transaction process, with a view to getting buyers comfortable with any data-related risks.  This includes:

  • advising on protocols for information sharing, populating the data room and planning for post-merger implementation;
  • advising on the competitive impact of aggregating merger parties' data assets when engaging with competition merger clearance processes;
  • helping to map the data flows, uplift processes and policies, explain how consents have been obtained and regulations have been addressed, and undertaking reviews of third party arrangements; and
  • assisting with any disclosures to bidders.

For buyers, this involves helping to identify the value of the data assets of the target, and any risks, including by:

  • undertaking due diligence (including advising on the regulatory environment, privacy maturity and any key risks); and
  • advising on the legality and structuring of proposed future data use cases, to assist in valuation.

Our team also:

  • advises on warranty and indemnity packages;
  • negotiates data and security-related FIRB conditions;
  • advises on data issues in relation to separation and transitional arrangements, including as to consent and disclosure requirements, the retention and disposal of business records, and ongoing access arrangements; and
  • negotiates data sharing arrangements (for both operational and strategic data sharing).
Cyber preparedness and incident response

Cyberattacks, data breaches and major technology vendor failures all require immediate solutions and expert advice.

How can we help?

Our leading cyber and data protection team works closely with organisations to help prepare for and mitigate cyber risks, respond rapidly to cyber events, and manage (and learn from) the fallout. 


OAIC investigations

Advised clients across the banking, energy, telecommunications and technology sectors on formal investigations by the OAIC into their data handling practices.

Design and rollout of data governance frameworks

Advised global retailers (both online and bricks and mortar), technology companies, financial services organisations, energy providers and scaleups on the design and rollout of their data governance frameworks and compliance uplift activities.


Advised various organisations on compliance requirements under the CDR Rules and Data Standards, engagement strategies with the ACCC and OAIC, and on applying to the ACCC for CDR compliance exemptions.

Data commercialisation

Advised a Big-4 Bank on a landmark joint venture to commercialise its data using leading data science techniques.

Data insights platform

Advised a healthcare company on the creation of a new data insights platform.


Advised on the establishment, launch, creation and operation of a new electronic lodgement network operator (ELNO), including on the complex ELNO regulatory approval process.

ASX developing new data products business

Assisted with designing the complete legal framework for a multi-party platform, bringing the ASX together with other data holders and data scientists.


Advised various Big-4 banks on their divestment of certain businesses, which included complex data sharing, use and governance arrangements.

Independent expert

Acted as an independent expert in connection with an enforceable undertaking given to the OAIC.


Advised on ransomware attacks, sophisticated hacks, business email compromise, brute force attacks, smash and grabs, and malicious insider activity.