Privacy and Data Protection, Risk Advisory


Privacy and Data protection services

Beyond compliance towards customer-centricity

The balance of maximising commercial opportunities with the ethical use of personal information is an increasingly emerging challenge for organisations. How is your organisation defining its “creepy line”?

Privacy Risk Management

Deloitte’s Australian national privacy team has a wealth of commercial and regulatory experience that can help you transform your privacy capability beyond compliance towards a customer-centric approach and meet your commercial objectives.

As privacy risk moves from being managed at a local level to a global level, organisations are implementing programs to ensure a holistic approach to privacy and data protection risk management is implemented.

We help organisations by:

  • Preparing for an assessment by a regulator such as the Office of the Australian Commissioner (“OAIC”) or independent auditor
  • Assessing privacy compliance against local Australian regulations such as the Privacy Act 1988 (Cth), as well as global regulations such as the European Union General Data Protection Regulation (“EU GDPR”), China’s Cyber Security Law and any other regulation required
  • Implementing automated data discovery and classification solutions 
  • Developing and implementing privacy risk frameworks and strategies which consider regulatory requirements, commercial need and external risks such as third parties
  • Developing and implementing third party risk frameworks
  • Developing and implementing education and awareness strategies
  • Providing staff to support you operationally as required.

We take the time to understand your current risk appetite before creating a transformation program so that we can create a program that meets your needs both from a governance and operational perspective.

Privacy Audit and Assessment Solutions

Privacy Assessments are a means of measuring the privacy impacts posed by a new business initiative, product, project or for Business As Usual (‘BAU’) activities. They are usually undertaken to identify potential gaps in privacy compliance and present recommendations for remediation.

We assist organisations in performing, audits, assessments and health checks against a variety of criteria, with a roadmap of tangible recommendations for remediation, suited to the culture, budget and risk appetite of your organisation.

As Privacy Impact Assessments are becoming highly recommended or mandated by regulations globally such as by the EU GDPR, we are increasingly assisting organisations in implementing their own digital privacy assessment solutions.

Automated Data Discovery and Classification Solutions

Deloitte’s Data Discovery solutions will enable you to answer the following questions:

  • Where is personal information stored?
  • Who has access to this personal information?
  • What cloud software is used by our staff on our network?
  • What personal information about our customers is stored in the cloud? (only specific cloud software is covered, eg: Dropbox)

Deloitte uses a tool which enable organisations to tangibly determine where personal information is held both in file shares and in cloud applications.

Once you understand where your data is, we can help you automatically classify files in certain locations, and all new files created or extracts of data have configured so that you can track the movement of all your data.

Organisation culture assessments

Statistics show the largest risk of a breach comes from internal staff. A survey can test knowledge as well as the behaviour of staff when put in certain situations.

An organisation culture assessment demonstrate where the weaknesses are in your organisation so that you can proactively address new risks which emerge. 

Training and awareness

Regulatory changes, new questions from data savvy consumers and your staff, and new privacy threats mean that organisations need to be educated periodically via proactive interactive education techniques to ensure engagement and understanding, in addition to emails and computer based training.

Understanding key privacy stakeholders enables organisations to conduct targeted training and awareness campaigns, specific to a role or relationship of an individual with the organisation.

Deloitte assists organisations in developing and implementing general and tailored training and awareness programs covering specific privacy training topics including:

  • Local and international obligations for an organisation
  • The operational privacy lifecycle and the risks to the organisation at each point
  • Access control
  • Responding to data breaches
  • Policies and procedures
  • Risks specific to a role or business function.

Contact us

Tommy Viljoen

Tommy Viljoen

Partner, Risk Advisory

Tommy leads the cyber risk services strategy and governance team based in Sydney and has over 30 years’ experience in information technology, IT risk and cyber security governance across a broad range... More