How are organisations really dealing with their privacy obligations? Our new report into privacy maturity reveals a mixed scorecard for Australian businesses.
Launched on 19 June 2025, the Privacy Pulse 2025: Measuring Maturity report presents the results from Australia’s first survey on privacy maturity, revealing that most Australian organisations still have some way to go to reach the level of sophistication needed to comply with the law in how they handle and protect their customers’ private information.
Drawn from a survey of 119 organisations from a wide range of industries and organisation sizes, our report shows that the effectiveness of privacy programs is still a work in progress in Australia, against a backdrop of ongoing privacy law reforms and increased regulatory scrutiny.
Among the report’s key findings, 91% of the organisations surveyed have a person designated to act as the Privacy Officer – but well over half (56%) claim to have no, or only a basic, process to identify and assess their privacy risks.
Many organisations are also falling behind on the training front, with 59% offering only basic online training in privacy practices to their employees, and another 10% offering limited or no training at all – and only 3 in 10 having training relevant to particular roles within the organisation.
When looking at specific industries, the retail sector shows the greatest privacy maturity, particularly in staff training and the maturity of their data breach plans. At the other end of the scale, the construction, manufacturing, mining and agriculture and entertainment and hospitality sectors are stumbling on training as well as transparency and risk management.
Helios Salinger partner Anna Johnston said the report highlighted that many organisations were still grappling with how to embed good privacy practices in their day-to-day operations.
“Training is a real gap, and an important one to fill. It really means getting down to the level of ensuring that everyone in the organisation knows what’s expected of them, and what that looks like practically speaking. It’s also important that it’s clear to customers why their information is being collected, and what it will be used for.”
Anna said having an effective privacy program was no longer a ‘should have’ but a business imperative.
“Poor privacy practices are not only a major reputational risk for businesses that rely on consumer trust and goodwill, but also leave them exposed financially – with the Australian Privacy Commissioner this week signalling the regulator’s intention to ramp up enforcement activity including conducting ‘compliance’ scans and issuing instant fines of up to $66,000 for strict liability matters: for example, not having a compliant Privacy Policy on your website.
“But the maximum penalties for other breaches of the Privacy Act are now over $50 million, so companies can no longer afford to ignore privacy risk.
“Our report is a valuable tool in serving as a benchmark for organisations to understand how they’re tracking at an organisational and industry level, as well as a roadmap of the steps needed to improve their own privacy compliance programs.”
Download your copy of the report, Privacy Pulse 2025: Measuring Maturity.
