In the age of artificial intelligence, data integrity has emerged as the fundamental bedrock upon which reliable, trustworthy, and effective AI systems must be built. As organisations increasingly rely on AI to drive decision-making, predict consumer behaviour, assess market trends, and secure against data breaches, the importance of maintaining data integrity throughout the data lifecycle cannot be overstated. The concept of data integrity encompasses the accuracy, completeness, consistency, and reliability of data throughout its lifecycle. Just as a building cannot stand strong without a solid foundation, AI systems cannot function properly without the solid foundation of high-quality, trustworthy data. The adage “garbage in, garbage out” takes on new significance in the context of AI, where the consequences of poor data integrity are magnified exponentially.
This is a version of a talk I gave recently at the Institute of Information Management (IIM) conference in Brisbane. I thought it might be worth sharing here too.
Introduction
What I’ve learned along the way is that behind every business problem is a human being with some kind of need. And if we understand that, we can solve it. Increasingly now, every business is a data-driven business, but you can’t let data be the only thing. We need to focus on the human problems we’re trying to solve. And that’s really what I want to talk about today – how we navigate the increasingly complex world of data integrity and compliance in the Australian digital landscape while keeping the human element front and centre. Today I’m going to cover four main areas:
- An overview of the evolving Australian data landscape, including the regulatory changes that are reshaping how we manage data in 2025.
- The human side of data integrity – why focusing on people and their needs is essential for effective data governance.
- Australia’s approach in a global context, looking at international trends and how Australia is positioned to respond.
- Some practical strategies that organisations can implement to navigate this complex landscape successfully.
The Current State of Play
When we look at Australia’s digital landscape in 2025, what we’re seeing is nothing short of a transformation. Our nation has embraced digital technologies at an impressive rate, with businesses and government agencies alike investing heavily in data-driven solutions. But this rapid digitalisation hasn’t come without its challenges. What makes Australia’s data ecosystem particularly interesting – and challenging – is that we’ve developed what I like to call a “patchwork” of legislative and regulatory mechanisms. Unlike some jurisdictions with a single comprehensive data protection law, we have a complex web of economy-wide and industry-specific obligations. And this complexity is only growing. For those of you who’ve been following the regulatory developments, you’ll know that the Privacy & Other Legislation Amendment Act came into effect in December 2024. This first tranche of reforms introduced several significant changes to our privacy landscape, including expanded powers for the Information Commissioner, new civil penalties, and facilitated information sharing in emergency situations.
But what I find particularly interesting are two elements that are still in their grace periods: the new statutory tort to redress serious invasions of privacy, which comes into effect in June 2025, and the increased transparency requirements for automated decisions using personal information, which organisations have until December 2026 to implement. We’re also seeing new criminal offences for ‘doxxing’ – the malicious public disclosure of someone’s personal information with intent to cause harm. This reflects a growing recognition that privacy violations can cause real harm to real people. And let’s not forget the Children’s Online Privacy Code, which is being developed to provide enhanced protections for our youngest digital citizens. This is particularly important as we see more and more children engaging with digital platforms from an increasingly early age.
Critical Regulatory Developments
Beyond privacy reforms, there are several other regulatory developments that are reshaping Australia’s digital landscape. The Cyber Security Act 2024, which came into effect in November last year, introduces a range of new obligations. The legislative rules to support the implementation of the Act are being rolled out over the next year, including:
- The Cyber Security (Ransomware Reporting) Rules, which will commence in May 2025 and will require businesses with an annual turnover of AUD $3 million to report ransomware incidents
- The Cyber Security (Cyber Incident Review Board) Rules, also commencing in May 2025
- And the Cyber Security (Security Standards for Smart Devices) Rules, which will commence in March 2026
These rules represent a significant shift in how we approach cybersecurity in Australia, moving from a largely voluntary approach to one with more mandatory requirements.
For those of you in the critical infrastructure space, you’ll be aware of the amendments to the Security of Critical Infrastructure Act that came into effect in November 2024. These changes confirm that organisations responsible for SOCI assets must ensure risks to data essential to the asset’s operation are considered in their Critical Infrastructure Risk Management Program. And if you’re in the financial sector, you’ll be preparing for the Prudential Standard CPS 230 Operational Risk Management, which takes effect from July 2025. This will require APRA-regulated entities to effectively manage operational risks, maintain critical operations through severe disruptions, and manage the risks associated with service providers. Finally, we have the Scams Prevention Framework, which passed both Houses of Parliament in February 2025. This framework requires service providers in selected sectors to take actions to combat scams, following the principles of Govern, Prevent, Detect, Report, and Disrupt.
Now, I know that’s a lot of regulatory information to take in and navigating this complex regulatory landscape requires a tailored approach. But understanding these developments is crucial for effective data governance in 2025 and beyond. What’s important to remember is that these regulations aren’t just bureaucratic hoops to jump through – they’re designed to protect real people from real harm. And that brings me to my next point: the human side of data integrity.
Beyond Compliance: Understanding the Real Problems
Now, this is the part where I really want to emphasise something that I believe is fundamental to effective data governance: behind every business problem is a human being with some kind of need.
In my years working with data, I’ve seen too many organisations approach data integrity and compliance as purely technical challenges. They focus exclusively on the systems, the processes, and the regulations – and they forget about the people. But here’s the thing: data doesn’t exist in a vacuum. It represents real people, real behaviours, real needs. When we talk about data breaches, we’re not just talking about compromised databases – we’re talking about individuals whose personal information has been exposed, potentially leading to financial loss, identity theft, or emotional distress. When we talk about algorithmic bias, we’re not just talking about flawed models – we’re talking about people who may be denied opportunities or services based on unfair criteria.
Every organisation is what I like to call a “unique special snowflake.” What works for one may not work for another, because each has its own culture, its own values, its own people. That’s why cookie-cutter approaches to data governance often fail. You need to understand the specific human problems your organisation is trying to solve. Let me give you a real-world example. In a previous role, I implemented a data governance framework that wasn’t just about compliance with regulations – it was about supporting our researchers, our educators, and our students. We asked ourselves: What do these people need from their data? How can we make their lives easier while also ensuring data integrity? By focusing on these human questions, we were able to develop solutions that people actually wanted to use, rather than systems they tried to work around. And that’s a critical point: if your data governance approach doesn’t work for the humans in your organisation, they’ll find ways to circumvent it, potentially creating even bigger risks.
The Trust Equation
This human-centered approach to data integrity leads directly to what I call the trust equation. In simple terms:
data integrity + transparency = trust.
Trust is the currency of the digital age. Your customers trust you with their data. Your partners trust you to handle shared information responsibly. Regulators trust you to comply with the rules. And when that trust is broken, the consequences can be severe. The business case for strong data governance goes well beyond avoiding fines or penalties. It’s about maintaining the trust of your stakeholders. Research consistently shows that organisations with strong data governance practices enjoy higher levels of customer loyalty, more productive partnerships, and better reputations. Consider the reputational impact of a data breach. According to the 2024 Cost of a Data Breach Report, the average cost of a data breach in Australia is now AUD $5.8 million. But that figure doesn’t capture the long-term damage to customer trust, which can take years to rebuild. Building a culture of data integrity across your organisation isn’t just about having the right policies and procedures in place – though those are certainly important. It’s about fostering a mindset where everyone understands the value of data and their role in protecting it. From the frontline staff who collect customer information to the executives who make strategic decisions based on data insights, everyone needs to understand that data integrity is a shared responsibility. And that responsibility is ultimately about protecting people – your customers, your employees, your partners. When we frame data governance in these human terms, it becomes much more than a compliance exercise. It becomes a core business value that drives better decision-making, stronger relationships, and ultimately, better outcomes for everyone involved.
International Trends Shaping Our Approach
While we’ve been discussing the Australian context, it’s important to recognise that data integrity and compliance is a global challenge. We’re not operating in isolation, and understanding international trends can help us better navigate our own landscape.
The European Union’s General Data Protection Regulation (GDPR) continues to set the global benchmark for privacy protection. What’s interesting is that GDPR enforcement is becoming increasingly strict, with regulators focusing on adherence to the principles of personal data processing and imposing larger fines for non-compliance. The total sum of GDPR fines has grown exponentially since its implementation, and this trend shows no signs of slowing down.
In the United States, we’re seeing the California Privacy Rights Act (CPRA) building upon the foundation of the California Consumer Privacy Act, giving California residents even greater control over their data. And it’s not just California – approximately 20 US states have now enacted their own privacy laws, creating a complex patchwork of regulations that global companies must navigate. One particularly interesting development is the Global Privacy Control (GPC), a technical specification that allows users to signal their privacy preferences to websites automatically. It’s essentially a digital “Do Not Disturb” sign, and it’s becoming mandatory under most US state privacy laws. But I must caveat this with a note that nobody knows what the Trump regimes current appetite is for any kind of additional regulation in the AI and privacy space.
When it comes to AI regulation, the EU is again leading the way with the AI Act. The first rules of this Act, covering prohibitions and AI literacy obligations, came into effect in February 2025, with full application expected by August 2026. The Act takes a risk-based approach, categorising AI systems into four levels of risk and imposing stringent requirements on high-risk applications. The US is taking a more fragmented approach to AI regulation, with multiple bills under consideration at the federal level and various state initiatives. Canada is developing the Artificial Intelligence and Data Act (AIDA), focusing on “high-impact systems” in areas like employment, service access, and law enforcement. We’re also seeing a global trend toward data localisation, with countries like China, Russia, and India (among the many) requiring certain types of data to be stored within their borders. This has significant implications for global data flows and business operations.
Australia’s Opportunity to Lead
So where does Australia fit in this global picture? I believe we have a unique opportunity to lead in a few areas:
- Our approach to critical infrastructure protection, particularly through the Security of Critical Infrastructure Act, is quite advanced. We’ve recognised the essential role that data plays in the operation of critical assets and have developed frameworks to protect it accordingly.
- Our financial sector regulations, particularly APRA’s CPS 230, demonstrate a sophisticated understanding of the relationship between operational risk, data governance, and third-party risk management.
But perhaps our greatest opportunity lies in how we balance innovation with protection. Australia has a strong tradition of pragmatic regulation – not too heavy-handed, but not too laissez-faire either. This positions us well to develop approaches that protect individuals while still enabling businesses to innovate and compete globally. I also believe Australia has a significant role to play in the Indo-Pacific data ecosystem. As data flows increasingly shape regional economic integration, Australia can help establish norms and standards that promote both data protection and data utility. The key is to approach these opportunities with a clear understanding of our values and priorities. What kind of digital society do we want to build? How do we ensure that our data practices reflect our commitment to fairness, transparency, and human dignity? These are not just technical questions – they’re deeply ethical and social questions that require broad engagement across sectors and communities.
Implementation
Let’s get practical now. How can organisations actually navigate this complex landscape of data integrity and compliance? I’d like to share some strategies that I’ve seen work effectively across different sectors.
First, let’s talk about the Essential Eight framework. Developed by the Australian Cyber Security Centre, this framework provides a solid foundation for protecting your systems from cyber threats. The framework is divided into three objectives: preventing cyberattacks, limiting their extent, and ensuring data recovery and system availability.
What I like about the Essential Eight is its maturity model approach. You can implement it in phases, starting with Maturity Level One and working your way up to Maturity Level Three. This makes it accessible for organisations at different stages of their security journey.
For those of you in specific sectors, there are additional considerations. Financial services organisations need to be preparing for CPS 230 Operational Risk Management, which takes effect in July 2025. This means identifying the technology and systems enabling critical operations and implementing commensurate risk management controls.
If you’re responsible for critical infrastructure, you need to ensure that your Critical Infrastructure Risk Management Program addresses risks to data essential to your asset’s operation. And for telecommunications providers, be aware that you have until October 2025 before the CIRMP requirement takes effect.
Small businesses face their own challenges. While the Privacy Act’s small business exemption is still in place, it’s under serious reconsideration. The February 2023 Privacy Act Review Report proposed abolishing this exemption entirely, which would bring approximately 2.3 million additional businesses within the scope of privacy regulation. So, if you’re a small business owner, it’s worth starting to prepare now, especially given the 13% increase in cybercrime targeting smaller firms as “easier targets.”
One thing I commend to any small business folks in the audience today is to check out the SMB1001:2025 standard which is multi-tiered cybersecurity certification standard for small and medium-sized businesses, which is much more accessible than the Essential Eight for small businesses. You can also check out this Data Revolution podcast episode which covers SMB 1001 in more.detail.
Technology and Governance Integration
Beyond framework implementation, there are several approaches to integrating technology and governance effectively.
A platform-first compliance strategy can be particularly valuable. This involves using centralised compliance solutions to manage multiple frameworks, with automated tools that integrate various requirements to streamline processes. This is mostly framed as part of governance risk and compliance activities. This approach reduces manual work and compliance gaps, allowing your team to focus on strategic priorities rather than administrative tasks.
If you’re implementing AI systems, it’s crucial to align your AI strategy with privacy and security requirements. This means developing AI applications that comply with existing regulations and ethical standards, focusing on data minimisation in AI training and implementation, and establishing robust governance frameworks for AI decision-making. ISO/IEC 42001, the AI Management system standard, is a great starting place for organisations that need to work out how to manage and govern their AI operations.
Third-party risk management is another critical area. With the increasing reliance on external vendors, you need centralised third-party risk assessments and compliance monitoring. This helps ensure that your supply chain aligns with privacy standards and reduces the risk of data breaches originating from external sources.
Data governance framework enhancement is also essential. This involves conducting comprehensive data inventories to identify what personal information you collect, where it’s stored, how it’s processed, and why you use it. This mapping exercise provides the foundation for establishing appropriate retention periods and implementing effective data minimisation strategies.
Finally, strengthening your information security posture is more important than ever, given the increased penalties for privacy breaches. Implement appropriate technical and organisational measures to safeguard personal information, establish regular security assessments and vulnerability testing, and update your data breach response plans to align with Australian notification requirements.
Remember, the goal isn’t just compliance – it’s building a robust approach to data integrity that protects your organisation, your customers, and your partners while enabling innovation and growth.
Key Takeaways
As we come to the end of our time together, I’d like to leave you with a few key takeaways.
- Remember that behind every business problem is a human being with some kind of need. When we approach data integrity and compliance from this human-centered perspective, we develop solutions that work not just on paper, but in practice.
- Recognise that every organisation is a unique special snowflake. There’s no one-size-fits-all approach to data and its governance. You need to understand your specific context, your specific risks, and your specific opportunities.
- Understand that data integrity creates business value beyond compliance. It builds trust with your customers, your partners, and your regulators. And in today’s digital economy, trust is perhaps your most valuable asset.
- And, acknowledge that Australia has a real opportunity to lead in the global data and AI conversation. Our pragmatic approach, our sophisticated understanding of critical infrastructure protection, and our position in the Indo-Pacific region all give us a unique voice in shaping how data is used globally.
Call to Action
So, what should we do with all this information? Let me suggest a few concrete steps.
- Proactively prepare for upcoming regulatory changes. Don’t wait until the last minute to comply with the Cyber Security Act rules or CPS 230. Start mapping your data, reviewing your policies, and enhancing your security measures now.
- Invest in data governance as a strategic priority. This isn’t just an IT issue or a compliance issue – it’s a business issue that requires leadership from the top. Make sure your executives understand the value of strong data governance and allocate resources accordingly.
- Collaborate across sectors to develop best practices. Join industry groups, participate in forums like this one, and share your experiences with peers. We’re all figuring this out together, and we can learn a lot from each other’s successes and failures.
- Commit to continuous learning and adaptation. The digital landscape is evolving rapidly, and what works today may not work tomorrow. Stay curious, stay informed, and be willing to adjust your approach as new challenges and opportunities emerge.
Final Thought
I’d like to close with a thought that guides my own work in this field. Data isn’t just ones and zeros – it’s a reflection of human lives, human choices, and human potential. When we protect the integrity of data, we’re ultimately protecting people and their right to control their digital identities. As information management professionals, we have a crucial role to play in building a digital future that respects human dignity, promotes fairness, and creates value for all Australians. It’s a big responsibility, but it’s also an exciting opportunity to shape how technology serves humanity.