Winner - Best Fintech Law Firm 2023 (Australia)
Winner - Best Emerging Fintech Law Firm 2022 (Australia)
AB is a modern law firm with a focus on advising in technically specialised areas. While strong technical expertise forms the foundation of our approach, we distinguish ourselves by combining it with a genuine focus on business objectives and risk, and a nuanced understanding of the emotional factors that underpin legal matters.
AB provides high-end legal expertise delivered with the commerciality and cost sensitivity expected by a start-up - wrapped up with an emotionally intelligent approach. With leading advisors in cyber, technology, privacy, financial services and insurance risk, this positions us as the perfect partner for organisations facing cyber and privacy risks.
What is a Privacy Capability Assessment?
The Privacy Capability Assessment (PCA) is a comprehensive solution that benchmarks your privacy practices against established best practices and regulatory obligations providing actionable, pragmatic recommendations to enable your organisation to improve your privacy controls and processes and address the continually evolving privacy regulations.
Our comprehensive approach includes holistically assessing the current state of your privacy management program and privacy risks, developing forward-looking recommendations to meet the ever increasing privacy expectations of consumers and regulators. We have developed an approach that aligns with internationally recognised privacy frameworks including the National Institute of Standards and Technology (NIST) Privacy Framework, the ISO 27701 extension to ISO27001, and the UK Information Commissioner Office's (ICO) Privacy Accountability Framework.
A PCA covers all aspects of your privacy management program, including compliance with legislative requirements, policies and procedures, governance arrangements, data retention, lawful processing of personally identifiable information, resourcing, training and culture, and outsourcing and data sharing arrangements, including the use of Cloud services.
Why now?
Good information handling practices makes good business sense. Organisations that maintain mature practices for handling personal information enhance their brand's reputation, increase consumer and employee confidence and trust, and ensure accuracy and security of beneficial data while minimising risks of harms to individuals and potential regulatory actions.
A Privacy Capability Assessment (PCA) helps you identify opportunities to uplift the maturity of your organisation’s privacy management program and meet the increasingly high public expectations and complex regulatory obligations.
The PCA enhances an organisation's overall data protection strategy and enables organisations to adapt to the ever-changing regulatory environment. The Australian Government has proposed 116 amendments to Australia's privacy laws, expected to be introduced to Parliament in 2024, that will impact heavily on every organisation. Our PCA will help to ensure your organisation is prepared for the pending changes and not scrambling to comply with complex new laws at the last minute. Early preparation can also be financially beneficial by spreading your investment in maturity uplift activities over a longer timeframe.
Organisations with mature and robust privacy programs can build trust with customers and drive long-term reputational and financial advantages.
The challenge for many organisations is knowing whether their existing privacy program is fit for purpose and understanding what changes they need to make to reach their target level of maturity.
How does it work?
The Privacy Capability Assessment benchmarks your organisation's privacy controls and practices against established, internationally recognised Privacy Frameworks . The engagement workflow will follow a defined five step process outlined below:
Our team begins each engagement by gaining a deep understanding of your organisational structure, people, processes, technologies, and privacy objectives. During this phase we will confirm expectations and create a customised approach based on your environment, privacy requirements, and challenges.
We will guide you on the selection of an appropriate Privacy Framework as part of the Initiate phase this typically involves selecting from the National Institute of Standards and Technology (NIST) Privacy Framework, the ISO 27701 extension to ISO27001, or the UK Information Commissioner Office's (ICO) Privacy Accountability Framework. Selecting which Privacy Framework is the best fit for you organisation can be complex.
Our expert privacy lawyers will guide you through that process and help you establish your target maturity level that will guide the actionable recommendations generated as part of the PCA outputs.
Understanding the strengths and weaknesses of your current privacy management program is key to understanding your privacy practices and building a long-term strategy. To achieve this objective, our team will conduct interviews with your key personnel and collect copies of your current privacy policies. We will collect information on the types of personal information you collect and process, where you store it, who you disclose it to such as third-party service providers, and your data retention practices.
We will also collect publicly available information about your business and copies of your ASIC records. This helps us to determine the scope of the applicable privacy rules and laws.
Our privacy lawyers will evaluate the supporting evidence against the selected Privacy Framework and applicable privacy laws and rules, identify gaps, and benchmark your privacy maturity level.
During this phase, we will provide our initial findings and recommendations.
The Privacy Capability Assessment's key deliverable is a privacy accountability report featuring an executive summary, current privacy control maturity benchmarks, and actionable recommendations for improvement.
This phase includes an in-depth workshop, up to 2hrs in length to walk through the findings and recommendations.
We will provide you with a final report with actionable recommendations clearly identifying potential quick-wins and next steps to mitigating your privacy risks.
We will also provide a discounted proposal for any additional services or assistance you may require to implement the recommendations and support your privacy management program going forward.
Get a no obligation consultation
At Albrecht Burrows, we understand the complexity and urgency of cyber and privacy risks facing businesses today. Get a no obligation consultation with our experts to better understand how your business can increase your resilience to cyber and privacy threats and regulatory risks. Our team of experienced multidisciplinary professionals will work closely with you to create personalised risk management solutions tailored to your business' unique needs needs and budget. Don't wait until it's too late – schedule your no-obligation consultation today and take proactive steps towards protecting your business from cyber threats and privacy breaches.
What are the benefits to your business?
A PCA will help you assess the compliance of your privacy program against legislative requirements and provide you with an independent view of your current maturity level.
Preparing for privacy breaches helps to ensure you can respond quickly and efficiently reducing the costs of response, loss of customer trust, and risk of legal and regulatory actions. Our Privacy Capability Assessment highlights strengths and areas for improvement, empowering your organisation to better enhance your privacy risk management and reduce the potential costs arising in a data breach incident.
Cyber resiliency assessments and plans help to demonstrate that your Directors & Officers are meeting their obligations under the Corporations Act reducing the risk of enforcement actions. The PCA can act as independent assurance and provide you with ready-at-hand documentation in the event of an audit or regulatory enquiry.
Identifying if your privacy practices and data processing activities could create risks of harm for individuals, even when your organisation may be compliant with a strict reading of the applicable laws or regulations, can help with ethical decision-making. This assists organisations to optimise beneficial uses of data while minimising adverse consequences for individual's rights and freedoms. It helps to avoid a loss of trust that can damage an organisation's reputation, lost customers and opportunity, slow adoption of products or services, or abandonment by consumers.
You will be able to demonstrate that you meet the increasingly high public expectations around privacy protection.
Privacy data breaches often result in long-tail reputation harm to businesses. It can take years to recover to a pre-breach financial state and rebuild consumer trust. Even years to decades later, people remember what companies had data breaches in the public eye. Our privacy lawyers have managed hundreds of privacy data breaches that were never public and are highly experienced in managing crisis communications. Through this experience we understand the root causes of reputation harm from privacy incidents and how to protect against this type of harm.
Additionally, we have seen a rise in regulators holding Executives accountable for pre-breach gaps in privacy compliance and inadequate personal information handling practices, often using the details of breach investigations and pre-breach audits as evidence. As lawyers we are in a good position to align the service outputs to protect Legal Professional Privilege (LPP). LPP helps to prevent third-parties, such as regulators, from using your Privacy Capability Assessment against you in future legal claims. We have designed our services in light of the recent Federal Court of Australia decision against Optus allowing breach investigation reports to be used as evidence in a class action against them as the work was not performed by lawyers or for the primary purpose of providing legal advice.
As a law firm not tied to any technology vendor or insurance underwriter we are truly neutral and able to provide your Board, Directors, and Senior Managers with Give an objective assessment of the state of your privacy program.
Meet the Team
Our privacy and data protection solutions are delivered by our team of highly qualified professionals with decades of experience across all areas of privacy and data protection law, as well as law enforcement, artificial intelligence, cyber and technology, risk management, business resilience, disaster recovery, crisis management, insurance and more.
James A. Cole
Partner | Head of Cyber & Privacy
My passion is helping our clients to implement holistic and commercial technology, privacy, and governance strategies that are aligned to their business objectives and risk appetite. I enjoy holistically applying my expertise across technology, business, and law enabling me to get to the heart of the issues and achieve positive, long-term results for clients.
James has spent more than two decades specialising in information security, strategic operations, and Governance, Risk & Compliance helping businesses and government seamlessly integrate privacy, technology, security, and compliance with business objectives.
James’ success as a computer scientist and lawyer has been centred on his core belief that privacy, security, and compliance do not have to be onerous activities that hinder business.
James’ expertise is wide ranging on every axis. He has advised organisations across both private and public sectors, as well as a broad range of industries including financial services, insurance, technology, healthcare, and government.
His advice spans across:
- international commercial expansions and regulatory compliance
- international privacy regimes including GDPR, CCPA, HIPPA, PIPEDA, UK PECR, ePrivacy Directive
- Access to Information / Freedom of Information
- multi-jurisdictional privacy and data protection
- artificial intelligence (AI) and facial recognition technology including ISO 42001
- cyber resiliency and preparation & prevention of cybercrime
- cyber governance, risk and compliance including ISO 27001 & NIST 800-53
- contractual liability in cyber & technology, and privacy & data protection
- misleading and deceptive conduct in financial services including AFSL compliance and breach investigation & reporting
- data breach incident response and remediation
Academic Credentials
- Bachelor of Laws (Honours) - Queensland University of Technology
- Bachelor of Computer Science - University of Calgary
- Bachelor of Arts (English Literature and Philosophy) - Trent University
- Postgraduate Studies (Law) - University of British Columbia
- Diploma in Insurance Law - Law Society of Ireland
- Masters of International Security Studies (Distinction)- Macquarie University
- Masters of Policing, Intelligence & Counter Terrorism (Distinction) - Macquarie University
Certifications
- Fellow of Information Privacy (FIP) - International Association of Privacy Professionals (IAPP)
- Certified Information Privacy Professional / Europe (CIPM/E) - International Association of Privacy Professionals (IAPP)
- Certified Information Privacy Manager (CIPM) - International Association of Privacy Professionals (IAPP)
- Certificate in Data Protection Practice - Law Society of Ireland
- Certificate in General Data Protection Regulation (GDPR) - Law Society of Ireland
- Security+, Computer Technology Industry Association (CompTIA)
- Canadian Securities Course (CSC) - Canadian Securities Institute
- Australia - New South Wales - Lawyer
- Australia - High Court of Australia - Solicitor
- New Zealand - Barrister and Solicitor (inactive)
- England & Wales - Registered Foreign Lawyer
- Privacy and Data Protection
- Cyber and Technology
- Insurance
- Artificial intelligence (AI)
- International Private
- Corporate and Commercial
- Administrative and Regulatory
2024
- Member of Law Society of NSW Taskforce on AI & other tools and trends shaping the legal profession
2023
- UNSW Edge Seminar - Cyber Security & Data Breaches: the new governance frontier
- Gartner Security & Risk Summit - CISO Masterclass on the Ins & Outs of Cyber Insurance
- AISA CyberCon Canberra - Ask an Expert - Ask a cyber insurance breach coach about prevention and incident response planning
2022
- Tenable on Tour - Managing data risks and the role of legal teams
- Law Society of NSW Annual Conference The value of data, what you can do with it and what you can't (Moderator)
- Young Lawyers Criminal Law Sub-Committee, Law Society of NSW - The challenges of responding to cybercrime
- Albrecht Burrows & Law Squared webinar - Privacy: a whole of enterprise risk
- Law Society of NSW CPD webinar - Risk management as a strategic business tool: why legal is so much more than a dustpan and brush
2021
- Pemba Capital Partners Lunch and Learn - Cybersecurity in financial services
Mark Anderson
Legal Consultant, Lawyer (NZ)
Managing risk with both technical precision and pragmatism is critical in the modern environment. Properly understanding your business needs and then delivering that advice together with integrity, trust and loyalty are fundamental to ensuring your most optimal outcomes.
Mark is a highly awarded legal risk adviser and barrister to New Zealand and international business, governmental entities and public bodies. He has more than 20 years experience advising on risk including cyber risks and breach responses, technology contract liability, security and governance, health and safety, environmental, competition and other regulatory investigations.
He has provided incident response advice globally to clients in need, including those in Europe, Australia, New Zealand and across APAC, after developing global incident response panels drawing together legal, IT, Forensic and PR professions to manage cyber crises. He has managed some of the highest profile cyber breaches in Australasia.
Mark is a trusted leader with a high level of integrity, professionalism, and discretion. An exceptional strategist committed to minimising current and perceived risks while providing innovative, future focused and pragmatic legal strategies to achieve your objectives.
Recognised by peers for tenacity and a proven ability to direct technology and cyber risk/data breach incident responses, regulatory notifications, and insurance operations during business interruptions following a cyber incident. Mark has been ranked as a leading lawyer in the Legal 500 (2020&2021) and top lawyer privacy by Best Lawyers (2017-2023).
LLB (Otago University)
BA (Hons - International Relations & Politics)
- New Zealand - Barrister and Solicitor. Currently registered Barrister
Technology
Cyber Incident Response
Privacy
Insurance
Litigation
Board Risk and Governance Advisory
Administrative and Regulatory
Regulatory Investigation Response
Aviation and Marine Risks
Health and Safety
Environmental / Climate Change Risk
Data subject rights: The real risk of privacy and security for business 2022
Ransomware - the mechanics of ransom payments - Seminar Insurance industry 2021
The Globalisation of Privacy Breach Law – European developments and impact on Australasia - New Zealand Insurance Law Assocation – March 2020.
Cyber, conflict and cover: time for a re-think? 2018 Seminar and publication
Connected and Autonomous Vehicles: The future? Oral and written evidence 2016
AB is an outstanding firm that delivers practical and innovative solutions for our business. Their experienced lawyers take a strategic and proactive approach while always trying to minimise costs - plus they explain scenarios in plain English so we know exactly what the outcomes might be."
Murray Liston
Managing Director, Civic MJD
Frequently Asked Questions - Privacy Solutions
A Privacy Capability Assessment provides a holistic snapshot of your organisation’s approach to handling personal information and assesses whether your capabilities align with your privacy objectives and legal obligations.
By contrast, a Privacy Impact Assessment (PIA) analyses an existing or proposed project, practice or technology and assesses it's level of compliance with the privacy laws - such as the Australian Privacy Principles (APPs). A PIA takes a deep dive into a particular initiative, examines its data flows, and ensures the initiative is compliant with relevant APPs and any other applicable privacy rules.
Yes.
You should revisit your PCA on at least an annual basis and see if anything has changed. You need to update the PCA if you have made changes to:
- your personal information handling practices;
- storage;
- vendors / suppliers;
- systems; or
- the types of personal information you collect, process, store, or disclose.
You should also update the PCA anytime the privacy laws change or your business practices change and you gain exposure to new privacy rules or foreign privacy laws.
A Privacy Impact Assessment (PIA) is a process used to protect privacy-by-design when an you start or acquire a new business, implement a new process, starting working with a new supplier or Cloud service or Processor, or launch a new product or technology. The PIA is focused on your activity's compliance to the privacy rules and laws.
A Data Protection Impact Assessment (DPIA) is an ongoing process, regularly applied to personal data processing, identifying, and mitigating data protection risks. The DPIA is focused on the risks to privacy associated with the activity.
Yes it is. A PIA can be conducted against existing projects, practices and systems.
However, it is best practice to carry out a PIA during the planning stages of an project or system and throughout the implementation phases. This way, privacy issues can be addressed early rather than being treated as an afterthought and the resutling PIA is updated as the project matures resulting in a privacy compliant initiative at go-live.
Yes you do. Privacy Impact Assessments are living documents. Besides addressing any gaps and updating the PIA after remediation activities are completed, the PIA needs to be reviewed and updated every time a trigger event occurs.
Trigger events to refresh your PIA include:
- The privacy laws change;
- You make a material change to the previously assessed initiative or system such as technology upgrades, deploying a new system, changing the data flows, changing the data storage, or changing suppliers / vendors or Cloud services;
- You make a change to the purpose of the personal information processing;
- you change what personal information you collect as part of the initiative or add new personal information from another initiative, system, or process; or
- you change the nature of the processing you are doing on the personal information.
The easy way to think of it is: if something about your system or process changes, update the PIA.
Risk-neutral advice
Legal advice is all about managing risks, but that doesn’t mean it should be risk-averse. At AB we believe that while your legal adviser should lay out the risks, and provide the information a client needs to make an informed decision, the decision of where to set risk tolerance should lie with the client. Your lawyer sets out where the line is – the client decides how close they want to be. Being able to pinpoint that line clearly and accurately is what distinguishes a legal advisor – not limiting the client’s options.
Case Studies
Case Study
Mapping Privacy Compliance across a Government Agency
A Commonwealth Agency was undergoing substantial IT modernisation projects that included changing the manner in which they collect, process, store, and disclose personally identifiable information.
They were concerned about potential compliance issues that might arise under the privacy laws and needed to conduct a Privacy Impact Assessment of the business processes and third-party SaaS applications that were being deployed as part of their IT modernisation program.
We were engaged to provide privacy and data protection services including:
- Review of the SaaS infrastructure design considering applicable privacy laws.
- Review of SaaS contracts with a large, international IT vendor for compliance with privacy laws and data protection best practice.
- Draft updates to privacy policies and notices reflecting changes to IT infrastructure and business processes impacting on privacy-related information.
- Conduct a Privacy Impact Assessment covering the end-to-end lifecycle of the personally identifiable information, and sensitive data, across the Agency's environment covering business processes and IT systems.
- Advise legal, risk, and IT teams on privacy compliance issues and best practice and assist the IT modernisation project team leaders on changes to systems structure and deployment to align with privacy compliance obligations under the APPs.
We helped the client successfully navigate the complexities of data protection and privacy laws as they apply to complex SaaS applications utilised across the Agency minimising their overall privacy and data protection risks.
We produced a comprehensive Privacy Impact Assessment allowing the Agency to comply with their obligations under the Privacy Act and the Commonwealth Privacy Code. The PIA gave the Agency, other Government Departments & Agencies, and the general public assurance that privacy is taken seriously and considered as a part of the Agency-wide risk management program.
- Privacy and Data Protection Advising
- Privacy Impact Assessment (PIA)
- Privacy Contract Review
- Privacy-by-Design Advising
Case Study
Navigating complex international AI and Facial Recognition laws
An Australian SaaS company that makes virtual try-on technology for the retail industry was looking to assess their cyber and privacy posture and minimise their risks while expanding their sales into large US, UK, and EU retailers.
They were concerned about potential liabilities that might arise under the privacy laws as the technology makes use of facial recognition.
We were engaged to provide privacy and data protection services including:
- Review of the SaaS infrastructure design and use of artificial intelligence, machine learning, and facial recognition technology considering international data protection and biometric information privacy laws.
- Review of international SaaS contracts with large retailers in the US, UK, and EU.
- Risk mitigation strategies to ensure compliance with GDPR, CCPA, and the Illinois Biometric Information Privacy Act.
- Drafting of privacy policies and notices for processing of facial recognition information for the purposes of retail virtual-try on processing.
- Advising on legal risks associated with processing of facial recognition information relating to both adults and children and AI processing for purposes of related product recommendations based on facial characteristics and geolocation availability of products.
We helped the client successfully navigate the complexities of international data protection laws as they apply to biometric information in retail SaaS applications minimising their overall privacy and data protection risks.
We drafted contractual clauses to help the client to limit their liability with retailers across Australia, the US, the UK and EU and implement a sound multinational expansion strategy aligned to the client's risk tolerance.
- AI Governance Advising
- Privacy and Data Breach Advising
- International Private commercial contract review and drafting
- Legal Engineering
Data breach emergencies
If you have experienced a data breach, whether unintential employee errors, employee data theft, or you’ve been the victim of a cyber-attack, the first 48 hours is crucial. So don’t waste any time, just get in touch.
Reach out, day or night.
If you don’t reach us straight away, we will get in touch ASAP!
Email us on [email protected]
Breach emergency Line: 02 8318 5980
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD