25 May 2026
One of the more interesting projects we worked on recently involved a small professional services organisation rolling out a new client intake and workflow platform across several offices. The project itself looked fairly ordinary at first glance. Online forms, document uploads, automated notifications, reporting dashboards — the sort of thing organisations implement every day.
The interesting part emerged once we started mapping how personal information actually moved through the system.
Staff initially assumed the project mainly involved “contact details and forms.” In practice, the platform handled identity documents, financial records, sensitive client notes, internal comments and historical attachments copied across from older systems. Different teams accessed different parts of the workflow and several third-party providers also processed pieces of the information along the way.
At that point, the organisation realised they did not simply have a software implementation project. They had a privacy impact problem.
This is exactly why the OAIC guidance on Privacy Impact Assessments recommends conducting a Privacy Impact Assessment (PIA) early in projects that involve personal information. The OAIC describes a PIA as more than a compliance exercise. A proper PIA helps organisations understand how information flows through a project, where privacy risks emerge and what controls may reduce those risks.
The biggest issues we identified were not dramatic cybersecurity failures. They were ordinary operational decisions that nobody had fully connected together:
- old records copied into new systems “temporarily”
- broad access permissions granted during testing
- sensitive attachments retained longer than necessary
- third-party integrations enabled without clear retention rules
- staff using exported spreadsheets for convenience reporting
None of those decisions looked unreasonable in isolation. Together, they created far more visibility and retention of personal information than the organisation originally intended.
The useful thing about a Privacy Impact Assessment is that it forces organisations to stop thinking only about the software and start thinking about the information itself:
- What information are we collecting?
- Why are we collecting it?
- Who can access it?
- Where does it move?
- How long do we retain it?
- What happens if somebody exports it?
This process reveals information and privacy risks long before a penetration test or compliance review would. It also makes us think about what we have, and hence enables us to secure it.
We also see organisations leave privacy reviews until the very end of a project because they wrongly assume the exercise mainly involves paperwork. In reality, late privacy reviews usually become expensive because by then the workflows, integrations and operational assumptions already exist. Changing them becomes much harder once the project reaches production.
The OAIC guidance repeatedly emphasises that organisations should integrate Privacy Impact Assessments into project planning and risk management from the beginning, not treat them as an afterthought.
Most organisations already understand cybersecurity risk reasonably well. Privacy risk is often more subtle. It tends to grow gradually through ordinary operational decisions until organisations suddenly realise they hold far more sensitive information, in far more places, than anybody originally expected.
