To celebrate the launch of the 10^th anniversary edition of our Perspectives on Cyber Risk 2025 report (2025 Report), Paul Kallenbach, MinterEllison’s National Legal Cyber Leader, sat down with Australian Privacy Commissioner Carly Kind for a fireside discussion on Australia’s rapidly evolving cyber and privacy landscape.  You can watch the full discussion here.

We were delighted by the record level of engagement, and the number of excellent questions received before and during the event. Below we share a selection of the most frequently asked questions, together with key insights drawn from the 2025 Report.

1. In the AI era, what constitutes best-practice privacy and data governance – and how can organisations mitigate emerging risks from generative AI (GenAI), automated decision making (ADM) and data misuse?

   
   

   Best-practice governance in the AI era means building privacy, security and accountability into the organisation’s DNA – from Board oversight to system architecture, and across the full data lifecycle.  As our 2025 Report observes (p. 35), this includes comprehensive data mapping, automated retention and deletion controls, and clear accountability for data ownership and stewardship, as well as clear privacy settings that align with legal obligations.

    

   With AI technologies like GenAI and ADM increasingly embedded across operations, organisations must strengthen AI Governance to address both legal and non legal risks such as algorithmic bias, data leakage and unauthorised secondary use (2025 Report, p. 41).  Effective mitigation requires a security-first posture across the AI lifecycle – combining legal, risk and technical expertise, and engaging early with regulators.  Without these guardrails, even sophisticated controls can fail to protect against an ever-evolving threat environment.

2. How should organisations prepare for the forthcoming Privacy Act reforms – particularly the new transparency and accountability obligations for ADM?
   

   From 10 December 2026, APP entities will need to disclose in their privacy policies the types of personal information used in ADM processes and the kinds of decisions those systems make (2025 Report, p. 58). The obligation applies even where humans are ‘in the loop’ if the decision-making is substantially automated.

    

   Preparation should begin now.  This means mapping all current and proposed ADM uses, identifying data sources, and assessing fairness and explainability.  Early alignment with global norms such as the EU Artificial Intelligence Act (2024) (2025 Report, p. 46, and see our related article here) and the OECD AI Principles will ease compliance and support responsible AI assurance.

    

3. What level of preparedness is expected for cyber attacks – and when and how must data breaches be reported?

   
   

   Our 2025 Report highlights (on p. 36) that testing and rehearsal are as critical as having a plan itself.  Boards should treat incident response as part of strategic risk planning, supported by regular simulations and cross-functional drills.

   When a breach occurs, many organisations face overlapping notification duties — under the Privacy Act 1988 (Cth), the Security of Critical Infrastructure Act (2018), the Cyber Security Act 2024 (Cth), the APRA Prudential Standards (CPS 234), and industry-specific regimes (2025 Report, p. 38).  Some of these regimes require notification within a matter of hours.  These thresholds and requirements should be mapped and rehearsed so reporting is timely, accurate and legally defensible.

4. How closely do Australia’s reforms align with international privacy frameworks such as the GDPR – and what should organisations know about cross-border data flows? 
   Australia’s privacy reforms are converging with global standards (2025 Report, p. 59), with proposals to introduce GDPR-style elements such as purpose limitations, data minimisation, mandatory Privacy Impact Assessments for high risk activities, and a 72 hour breach notification requirement.
   Cross-border data transfers will increasingly attract scrutiny as governments tighten localisation, sovereignty and adequacy rules. Organisations operating internationally should implement a unified global compliance framework and ensure contracts, consents and technical safeguards meet the highest common standard.
5. What is expected of Boards and executives in driving proactive data stewardship and cyber resilience? 
   Boards now bear explicit accountability for cyber governance.  ASIC’s enforcement actions reinforce that failing to maintain adequate cyber risk frameworks may breach directors’ duties under the Corporations Act 2001 (Cth) (2025 Report, p. 54). Effective oversight requires regular briefings, independent testing, and uplift of cyber literacy across leadership teams (2025 Report, p. 39). Although CISOs increasingly sit at board level, boards generally still lack deep cyber expertise.  Bridging that gap through training, simulation and clear metrics on cyber resilience is vital to maintaining customer, supplier, investor and regulatory confidence.
6. What practical support exists for SMEs navigating privacy and breach notification obligations as regulator expectations rise?
   For SMEs, compliance must be operationalised – embedded in processes rather than reliant on ad hoc advice (2025 Report, p. 39).  Priority actions include:

• integrating legal response procedures into cyber incident plans;
• mapping overlapping regulatory obligations and assigning clear accountability;
• training executives and incident managers; and
• testing and updating breach response and decision making at least annually.

Additional resources for SMEs are available through the OAIC’s Guide to Security Personal Information and the Australian Cyber Security Centre’s Small Business Hub.

You can download the full Perspectives on Cyber Risk 2025 report, and watch the webinar on demand for deeper analysis and case studies on emerging threats, data governance uplift, and AI readiness.