Sonia Sharma has always been interested in "the intersection of people, technology and the law"
Maddocks privacy and cyber partner Sonia Sharma has worn many hats throughout a storied career, from a stint in the music industry to journalism. She has always been interested in, as she puts it, “the intersection of people, technology and the law”.
In the second part of this interview, Sharma talks how being a journalist made privacy and cyber the ideal field of law for her, the most important thing organisations need to know about privacy protection, and the most common privacy-related legal issue she has encountered recently.
What led you to specialise in privacy law?
I am not your typical lawyer! I used to work in the music industry and am also a trained journalist and editor. From the outset of my legal career, my interest has always been geared towards the intersection of people, technology and the law.
I was founding member of Maddocks’ TMT team when I joined the firm as a baby lawyer almost 15 years ago to help start the team. In 2012, the Privacy Act changed with the introduction of the Australian Privacy Principles – this was when my passion for privacy first started as I advised clients of these reforms. When the mandatory data breach regime was introduced, it cemented my love for this rapidly changing area of law. I am comfortable operating in a high risk and unpredictable environment and love helping clients through a crisis.
I also love collaborating with forensic experts and other specialists on data breach and cyber response. My journalism background and natural curiosity means that privacy and cyber is the perfect fit for me. I’m really passionate about helping clients in a real and practical way to navigate Australia's changing legal and technical landscape. It is really rewarding to work with clients and help them proactively safeguard personal information and improve their privacy and cyber security resilience.
What in your opinion is the most critical thing organisations need to be aware of when it comes to privacy protection?
I would say there are two key things: first, it’s critical for business to have a baseline understanding of its information handling practices across the organisation for organisations regulated by the Privacy Act 1988, this involves undertaking what personal information is held and current compliance with the 13 Australian Privacy Principles (APPs).
The second thing is that people, your culture is critical. In order to manage risks you need to create privacy as a priority culture. For some organisations, these tasks can be overwhelming. They don’t know where they currently stand or where to start. At Maddocks, we’ve just developed a new privacy health check tool in BETA form called ADAPT By Maddocks to help provide advice to our clients by gathering information about their information handling practices so that we can assist in identifying key compliance gaps and provide recommendations. This advice is based on our detailed understanding of the Act, the regulatory environment and regulatory expectations. We also help with that critical training and culture building piece.
What is the most common privacy-related legal issue you’ve encountered in the past year or so?
A lack of preparation or a set and forget approach – Australian organisations exhibit a very big range in cyber and privacy maturity – many are doing exceptionally well, yet I’m still surprised by those who have waited for an event to occur before acting, particularly when there has been so much attention on the repercussions of large data breaches over the last year.
The OAIC has also stated that the mandatory data breach regime is a mature approach, yet we have seen organisations who do not have a data breach response plan, who do not have a document retention policy and who are not conducting Privacy Impact Assessments – all are mandated or expected to come into play as part of the upcoming Privacy Act reforms. You need to be prepared, understand what personal information you hold, understand your current gaps and have a clear privacy management plan for addressing and improving your maturity.
