Imagine this: you’ve been in business for 10+ years and feel pretty confident that you’re running a trustworthy, cyber safe company. You’ve done all the right things - installed the software, secured the data, trained your staff (that one time, 3 years ago).
But in a single second, with an innocent click on a phishing email, years of customer data is gone.
Not just any data - data that you actually shouldn’t have collected in the first place, that you had no need to attain or store.
This is the reality for so many businesses. Data is collected based on privacy policies that don’t reflect their business needs. Data that, in the long run, can actually lead to much bigger problems than you might initially think.
This is the problem that Peta Demidenko, Founder of Privacy Mayhem is trying to solve - but she’s not content to just solve privacy problems, she's on a mission to prove that privacy doesn't have to be boring or overwhelming and that, when done right - it can actually be fun.
Privacy vs Security - same same but different
Privacy sits in an interesting section of the cyber security landscape - not quite apart but not quite separate. As Ms Demidenko explains, the key distinction is this:
- Security is about preventing unauthorized access to data
- Privacy is about preventing the unauthorized use of that data
Her company, Privacy Mayhem has a straightforward but effective ‘4 W's framework’ to help break this down further to make it even simpler to understand what ‘privacy’ actually entails:
- Who's data are you collecting?
- What data specifically?
- Where is it stored?
- Why do you need it?
“It’s all about building transparency about what data you have so you know how you can protect it,” says Ms Demidenko. “If you understand your data landscape you stand a much better chance of being able to protect it.”
From corporate framework to privacy with flair
Ms Demidenko’s path from corporate gigs to privacy guru was not an uncommon one, with her early day in privacy beginning at VGW (another Perth technology success story), building their global privacy frameworks.
The ‘aha’ moment around the potential for a privacy-first consultancy, came from colleagues who would repeatedly comment on how much they loved her ‘motto’s and superhero’s’ approach to teaching what could otherwise be boring and bland privacy philosophies.
“The founding principle was (and still is) ‘privacy built in, not bolted on’” she said of what led her to branching out on her own and beginning Privacy Mayhem.
Privacy Mayhem now works with a number of growing companies who want to do privacy right because they want to - not just because they have to. Working with a wide variety of businesses, from aged mobility equipment providers to gaming, and not-for-profits, her client base is a testament to the fact that privacy doesn’t exist in some small and hidden niche - it’s actually for everyone.
The privacy problem - where most businesses go wrong
Getting privacy right is as simple - and as complex - as getting the systems and processes around your data into the right position.
Data hoarding
One of the most common problems is ‘data hoarding’, a trap that many organisations fall into. The approach taken is to capture as much data as possible ‘just in case we need it’. The antidote is a short but simple motto Ms Demidenko suggests her clients live by instead: ‘Don't need it? Delete it’.
The reason? Bad actors often already have partial information they’ve collected from other sources across the dark web, and the data you’ve unnecessarily collected could be the final piece that allows them to complete identity theft. By collecting only the data you truly need, you create a smaller attack surface and therefore less risk.
Cookies and Pixels
Another frequent pitfall comes through the incorrect use of cookies and pixels. Misconfigured Meta pixels for example can be doing a lot more than capturing marketing data and, in the United States there are cases known to capture and send sensitive information like tax data to Facebook. Ms Demidenko recommends conducting an audit of what’s enabled on your website to be sure you really understand what you’ve implemented and are responsible for.
Data storage and retention
Where you store your client data is just as critical as what you collect. Think of this as the privacy version of vendor management. Whether you're using cloud services, third-party platforms, or local servers, you need to understand not just the 'where' but the 'how'. This might involve asking hard questions: What security measures are in place? Where are the servers physically located? Who has access to the data? What happens in a breach? Your clients' privacy depends on your vendors' security practices, so make sure you're not blindly trusting third parties with your most valuable asset - your clients' trust.
Privacy is personal - the human element
As is always the case in the cyber world, the human element can’t be ignored.
“Everyone has different privacy tolerance levels,” Ms Demidenko notes. “Just like they have a favourite pair of socks, there will always be inherent preferences that differ significantly from person to person and business to business.”
The key - from someone who improves privacy posture for a living - is to invest in training that builds culture.
“Most people aren't intentionally doing bad things - they just lack understanding. But if you can get everyone looking in the same direction and understanding the 4 W’s, you can make informed decisions.”
Trust is earned
While it’s true that 80% of Australians don't trust companies with their data, with an approach like the one Privacy Mayhem's takes, you can make compliance interesting and accessible. Because privacy doesn’t have to be overwhelming - but it does need to be non-negotiable.
Your privacy action plan
- Map your data: Know what you're collecting and why
- Minimize collection: Less data means a smaller attack surface
- Configure correctly: Audit cookies, pixels, and third-party integrations
- Delete ruthlessly: If you don't have a legal ‘why’ (legal or business), it shouldn't exist
- Train your team: Build transparency and understanding across all staff
- Don't wait to communicate: Incident management requires immediate action
Cecily Rawlinson is the Director of CyberWest Hub, Western Australia’s central force for advancing cyber security. The Hub is committed to strengthening the state’s cyber industry, developing a future-ready workforce, and raising cyber awareness across all sectors of the economy. For more information, you can get in touch with Cecily at director@cyberwesthub.au.
Privacy Mayhem is one of many companies that exist in Perth to support companies with their cyber security and data privacy challenges. CyberWest Hub is connected to a range of local experts - find out more at https://www.cyberwesthub.au
