Publication
Essential Corporate News – Week ending 11 July 2025
On 1 July 2025, the Quoted Companies Alliance (QCA) published three new board committee guides to accompany the QCA Environmental and Social Guide published in December 2024.
Privacy law changes: Key actions to ensure compliance
Publication | April 2017
Content
What do you need to do to prepare for the new data breach notification laws?
A new age for data privacy in Australia will begin on 22 February 2018. Recent legislation regarding mandatory data breach notification has two direct consequences for all Australian companies with an annual turnover exceeding $3 million:
- companies will need to inform all third parties affected by an eligible data breach.
- organisations may be held liable for breaches occurring across their supply chain.
The implications are numerous for the main guardians of data privacy policies and compliance: general counsel and legal officers alike will need to keep in mind the possibility of class actions in relation to breaches, a million dollar-plus price tag for non-compliance, and a more stringent vendor selection and management process.
Case study: What happens when a privacy data breach occurs in the lab?
FutureStem* is a life sciences research and development lab. The $10 million annual revenue innovation hub has multiple partnerships with global players in the sector, but maintains a lean, independent structure. It relies on a third-party facility for a variety of analyses, and thus shares a large portion of its testing information.
But what if the third party testing facility suffered a data breach, and personal information related to FutureStem’s research projects were stolen and posted on social media sites?
| in 2017 FutureStem... | in 2018 FutureStem... |
|---|---|
| May not have had to notify impacted individuals. | Might pay between $350,000 and $1.8 million in fines AND notification costs to all impacted individuals in addition to other breach-related costs (crisis management, breach recovery and reputational damage). |
| No notice given, therefore no personal complaints, and no legal action. | Might face a class action suit by subjects included in the research, and further legal action by its corporate partners and sponsors. |
| Would have not been held liable for the data breach within its supply chain. | Would be held liable for the breach, and face an enquiry over data privacy compliance across its supply chain. Also the third-party facility would be obliged to notify impacted individuals. |
*this is a hypothetical example.
There are practical steps that a business of any size can take to ensure compliance with the new laws, assess its supply chain, and prepare for the eventuality of a breach.
Click here to learn more about our affordable and comprehensive compliance packages.
Recent publications
Publication
Climate change litigation update
In the two years since our last climate litigation update, the prevalence and variety of global climate litigation around the world has continued to increase.
Publication
L’AMF propose un encadrement pour l’usage de l’IA dans les services financiers : quelles obligations pour les institutions financières?
Selon un rapport conjoint du Bureau du surintendant des institutions financières (BSIF) et de l’Agence de la consommation en matière financière du Canada (ACFC), environ 70 % des institutions financières fédérales prévoient utiliser l’IA d’ici 2026 .
Subscribe and stay up to date with the latest legal news, information and events . . .