What Is Data Protection and Privacy?

Here’s an eye-opener: 64% of customers feel that companies are being reckless with their data, as per our latest State of IT: Security report.

This isn’t just an issue of trust; it’s an active business risk. When customers don’t believe their information is in safe hands, they’re less likely to share it, less likely to be loyal, and more likely to jump ship when a competitor comes knocking.

This might all seem a bit gloomy, but the situation presents a major opportunity. By taking steps to create strong data protection and privacy practices, you’ll stay compliant and prove to consumers that you’re trustworthy, making your business a cut above the competition.

In this guide, we’ll walk through what data protection and privacy are and why they matter, and we’ll provide nine best practices to help you navigate Australia’s increasingly privacy-conscious market.

Many of the statistics mentioned in this article come from research conducted by Salesforce in the State of IT: Security report (Fourth Edition). Read the full report to gain insights from more than 2,000 security, privacy, and compliance leaders worldwide.

It’s quite common to use data protection and privacy interchangeably, but each refers to a different concept:

• Data protection refers to the physical and digital tools, safeguards and systems that keep data secure from breaches, loss, corruption and theft.
• Data privacy refers to an individual’s right to control how their information is collected, used and shared.

In essence, data protection is about keeping data secure, while privacy is associated with making sure it’s handled ethically and transparently. As the volume of data increases and threats become more sophisticated, a commitment to both of these principles is essential for maintaining trust and compliance.

The protection of personal data in 2025 is no longer a simple legal requirement; it’s essential for keeping customers on side. Consumers are more privacy-conscious than ever, and new reforms to the Australian Privacy Act 1988 aimed at bringing the law closer to the standard of the European General Data Protection Regulation (GDPR) are giving consumers more power to act in their best interests.

Here are a few of the many reasons that data protection and privacy are so important:

• Compliance is complex: The Privacy Act and other regulations are always evolving, so much so that 68% of security leaders feel compliance is becoming more challenging every year. Keeping pace with data protection and privacy is essential to avoiding fines and reputational damage.
• Trust is paramount: Customers are already concerned that businesses aren’t handling their data appropriately, and they’re more willing than ever to call out organisations that don’t uphold high standards of security and privacy.
• Threats are increasingly sophisticated: Cyberattacks are becoming more advanced and harder to detect, with many criminals using AI to exploit vulnerabilities at scale. Organisations need to adopt equally stringent defences to keep their data safe.

These three core reasons are why 75% of organisations are anticipating budget increases for their data protection efforts. The good news is that businesses that get this critical juncture right have a clear advantage over those that don’t make security and privacy a priority.

When it comes to data security, our survey reveals that the top five most concerning security threats are cloud security threats, data poisoning, malware, phishing and ransomware.

Data encryption is the most effective and widely adopted tactic in the face of evolving threats, as per our survey. Why? Because, unlike a password, encryption makes data completely unreadable to all but authorised users. Even if a bad actor manages to get their hands on the information, all they see is a garbled mess of letters and numbers; in other words, the data is completely illegible.

The trick to robust data encryption is to apply it both in transit and at rest. This delivers end-to-end encryption, meaning there are no weak points at any stage in the data lifecycle.

We saw the power of this encryption model in 2025 when the UK government demanded that Apple provide access to encrypted iCloud data. Apple refused, citing the fact that their end-to-end encryption meant even they couldn’t access user data. It was only possible to comply if they handed over the keys, which would effectively break security for all users.

There’s a reason data encryption is a core pillar of Data Cloud. When done properly, it’s the gold standard of data protection and a valuable way to build trust with consumers.

Tip: Include periodic key rotation policies to reduce the risk if a key is ever compromised.

IAM is another highly-rated tactic for data protection, ranking in the top three in our report. This framework makes sure the right people can access the right data at the right time and restricts access to data for those without the proper permissions.

This technology has become increasingly next-gen in the last few years. For instance, the Cyber Security Cooperative Research Centre (CSCRC) recently built an automated IAM solution that dynamically adjusts access based on staff roles, without manual inputs from an administrator.

This is especially powerful for organisations where roles shift regularly, helping businesses increase their security without putting a dent in productivity.

Tip: Strengthen your IAM solution by using role-based access controls (RBAC) and integrating it with single sign-on (SSO) and multi-factor authentication (MFA) for comprehensive security.

Another tactic that made it into our top five is data masking, which involves obscuring sensitive information by replacing it with realistic (but completely fake) values. This means you can maintain the usability of the data for purposes such as analytics without risking the security of the information in the process.

As an example, a major logistics company in Australia used TDM data masking with the help of Intelia to create realistic but completely anonymous test data. In doing so, they massively reduced the risk of working in non-production environments without slowing down their innovation.

Tip: Data masking is especially helpful in development, analytics and testing environments where you don’t need real data but you still need to uphold security.

Next is data backup and restore, which was the second most critical and widely used of the data security solutions in our survey (behind data encryption). This technology differs from the rest of the methods above because it handles retroactive recovery over proactive defence.

However, this is exactly what makes data backups so important. Even the most robust security posture can fail, especially as threats become increasingly sophisticated. If encryption is the first line of defence, backups are the last, helping you avoid the reputational damage that comes with data loss and keep your business running following the worst-case scenario.

It’s a good idea to implement automated backups so you aren’t relying on human oversight. Salesforce’s Data Backup & Recovery Solutions, for example, will automatically create a backup each day and securely store it so you have the confidence that comes with knowing there’s always a rollback available if you need it.

Tip: Go beyond standard backups by creating immutable backups that can’t be altered or deleted by attackers. Also, remember to test your restore procedures every quarter to make sure that everything is working as intended and you can recover quickly when needed.

Next up is zero-trust architecture. It isn’t hard to see why this is a popular approach. Trusting no one at any stage, whether it’s a device, a user, or an application, is a powerful shift from the traditional tactic of securing the perimeter.

Zero-trust enforces continuous verification at every stage of access and assumes that any traffic moving in or out of an organisation could be a threat. This prevents social engineering attacks and minimises the risk of lateral movement if a breach occurs.

Australia’s national cybersecurity strategy is a prime example of this architecture. The initiative enforces zero trust principles across the whole government, with microsegmentation, strong device attestation and a ‘never trust, always verify’ mantra designed to limit the blast radius of any potential breach.

Tip: Don’t try to overhaul your entire system at once. Start small, apply zero trust principles to a single entity, device, or network access layer, then gradually scale your architecture outwards in a manageable way.

All of the security leaders we surveyed believe AI agents can improve at least one security concern (State of IT: Security, p. 13). As well as monitoring data to detect anomalies, AI models can also automate threat responses and flag vulnerabilities before they become a problem. And it can do all of this 24/7, providing protection even when your team is asleep or relaxing on the weekend.

Take Agentforce, the agentic layer of the Salesforce platform, for instance. Our AI solution can rapidly parse vast amounts of data to detect abnormal patterns, automate routine tasks like compliance checks and triage incident response next steps if anything goes wrong.

While it’s no secret that AI introduces new risks (any solution that processes large amounts of data can become a prime target for attackers), we’re also seeing how companies can leverage AI on the other side of the battle to bolster their defences and make smarter privacy decisions.

Tip: Use AI tools to identify unusual activity across endpoints, email traffic and user behaviour and help you address vulnerabilities proactively before they become serious concerns.

Compliance is becoming increasingly complicated for businesses, especially as the Australian Privacy Principles (APPs) continue to get more prescriptive. As such, complying with data privacy law at scale is becoming harder to accomplish manually.

For that reason, 63% of organisations say their compliance processes are now at least mostly automated. Automation ensures faster response times to investigations and reduces the risk of human error. It also frees up more time for teams to focus on high-value tasks rather than chasing documentation for audit trails.

Tip: Automate your evidence gathering, audit reporting and data retention policies as much as possible. While you can’t prepare for every eventuality, the more you can automate, the more confident you’ll be in your ability to meet and prove compliance when needed.

DevSecOps is a security protocol that involves integrating security directly into the entire software development lifecycle, from the first line of code to deployment and beyond. It’s a shift in mindset from the traditional approach, where a security team adds security at the end of development, potentially leaving vulnerabilities undiscovered.

The results of this approach speak for themselves. Our report discovered that 85% of IT organisations are now following DevSecOps practices, and those that do are 20% more likely to be fully compliant with data privacy regulations versus those that don’t.

As AI becomes more deeply embedded in software development pipelines, this kind of secure-by-design approach will be invaluable for minimising risks before and after launch.

Tip: Shift left by embedding security checks and static code analysis early in your CI/CD pipeline.

Lastly, we have the human element. Even the most advanced security tools can’t stop a breach if someone accidentally shares an encryption key or clicks on a malicious link. Training your teams on best practices will turn your biggest vulnerability into your strongest defence.

We found that teams with above-average innovation are 13% more likely to train staff proactively. Teams that have the knowledge to recognise threats and manage data responsibly underpin the strength of all of your data protection principles.

If you need a place to get started, Trailhead provides interactive learning paths that simplify the process of training your entire team on role-based security.

Tip: Tailor training to the most common risks departments are likely to face. For instance, finance teams should be able to spot invoice fraud, while marketing teams will need extra guidance on keeping data secure across third-party tools.

Businesses are currently walking the tightrope between the benefits AI brings for innovation, analytics and security, as well as the risks that come with it for data protection and privacy.

While AI has the potential to drive personalisation and deliver a better customer experience, it can also erode trust, especially if consumers don’t understand why you’re using it.

Currently, 71% of customers say their trust in companies is decreasing, up from 47% in 2022. The onus is on businesses to prove to customers they’re committed to security and privacy-by-design AI solutions.