Mike focuses on assisting key stakeholders with understanding the obligations and outcomes of effective privacy and cyber security. This includes solving an organisation’s issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment.

At IIS, Mike has led over 400 privacy and security governance, risk, and compliance client engagements across government, energy, health care, education, retail, financial services, and technology sectors. He has also advised clients about cyber security directly impacting privacy and data protection and how to provide greater resilience to assure better organisational outcomes.

Mike also serves as ICG’s Global Cyber Practice Leader and IIS is an ICG Affiliate. Prior to joining IIS, he was the Founder and Managing Partner of Cyber Risk Advisors. Before then, he was Asia Pacific, Oceania and FSO Lead Partner EY Cyber Security; GM Technology Risk and Security for NAB Group; a Partner within Information Risk Management at KPMG in New York; and has held financial services industry roles at Salomon Brothers and Mastercard International. At EY, Mike was responsible for creating the largest, sustained “Big-4” cyber security practice, deploying Privacy and Data Protection solutions, and building the Melbourne Advanced Security Centre (ASC), specialised in attack and penetration testing.

Mike is a Non-Executive Director of .au Domain Administration Limited (auDA), a not-for-profit organisation established by the Australian Internet community to administer a trusted .au for the benefit of all Australians, and champion an open, free, secure and global Internet.

Mike is a Graduate of the Australian Institute of Company Directors (GAICD), Life Member of the Australian Information Security Association (MAISA), and a member of the International Association of Privacy Professionals (IAPP). He has formerly served as a volunteer AISA Board Member, ISACA Melbourne Chapter Board Member, Member of National Standing Committee on Digital Trade.

Mike’s professional credentials include being a Certified Information Systems Manager (CISM); Certified Data Privacy Solutions Engineer (CDPSE); and Certified Information Systems Auditor (CISA). He is also an ICG Accredited Professional, and a former Payment Card Industry Qualified Security Assessor. He has an MBA, Accounting and Finance and BS, Management Science, Computer Science, and Psychology.

Mike is the co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Malcolm was the founding President of the International Association of Privacy Professionals Australia New Zealand (iappANZ), an affiliate of the US based International Association of Privacy Professionals (IAPP). He was a Director of IAPP from 2007 to 2011.

Malcom is a member of the Independent Advisory Board to the Minister for Government Services. He is a a member of the Palantir Council of Advisors on Privacy and Civil Liberties (PCAP). In 2023-24, the Minister for Finance appointed him to a small Expert Panel on Digital ID advising her on the Digital ID Bill. During the COVID-19 epidemic, he advised on COVIDSafe apps for the governments of New South Wales and Victoria.

Through IIS, Malcolm has advised a wide range of industry sectors. He has also consulted to the Asia Pacific Economic Cooperation forum (APEC) on implementation of the APEC privacy framework, to the Organisation for Economic Cooperation and Development (OECD), as well to a number of projects funded by the EU Framework Programmes for Research and Technological Development.

For some 20 years, Malcolm was a Director of Bellberry Limited, a private not-for-profit company which provides health ethics advisory services. In that time, he also chaired PRAXIS Australia Ltd, a Bellberry subsidiary, a private not-for-profit company that promotes the conduct of ethical research involving human participants, for the first five years through its startup phase. For many years he was a member of the New South Wales Government Information and Privacy Advisory Committee and the Microsoft Trustworthy Computing Academic Advisory Board.

Between 1996 and 1999, Malcolm was Manager of Government Affairs for AMP Ltd. In the previous 20 years he was a senior executive in the Federal Department of Finance, was founder and trustee of a new industry superannuation scheme and worked in the Transport and Health portfolios.

Malcolm is a Fellow of the Australian Institute of Company Directors and is an IAPP Certified Information Privacy Professional. He was made a Member of the Order of Australia in 2016 for significant service to public administration, particularly to data protection, privacy, and identity management, and to the community. Malcolm received the IAPP 2012 Privacy Leadership Award in Washington DC in recognition of his global reputation and expertise in privacy. He received the inaugural Chancellor’s Medal for distinguished contribution to the Australian National University in 2004. Malcolm has degrees in Chemistry and Economics.

Malcolm is a co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Recent engagements include:

• Privacy Officer as a Service (POaaS): Leading and project‑managing privacy uplift programs (including privacy automation) for multiple clients, including Victorian public sector agencies and organisations across the market and insights, property, retail, and education sectors, some with international operations. Also Cyber Security Officer as a Service (CSOaaS): Leading and Project Managing Cyber Security Program for a major energy client.
• Privacy and Cyber Security Health Checks: Assessing organisational practices, procedures, controls, and systems, and providing innovative and practical solutions to promote consumer, board, and regulator confidence.
• Vendor Management and Third-Party Risk Assessment: Assessing risks and/or compliance using international / global standards, and other government and industry-specific standards) to improve privacy and security posture; independent review of an organisation in response to OAIC enforceable undertaking following third-party data breach.
• Data Breach and Crisis Handling: Supporting a long-term data breach response and recovery as part of a multi-disciplinary team for the NSW Government for a major cyber incident, including preparation of post incident report and whitepaper.
• AI Impact Assessment: Leading gap analysis aligned with Australian and international regulations (e.g., EU AI Act and UK ICO Guidance) to ensure compliance and ethical development.

Prior to join IIS, Eugenia worked in France, Spain and the UK on complex IT and telecommunications projects. Eugenia worked for EY IT Risk and Security Advisory for more than 10 years and then joined Colt Technology Services in Europe where she was the Group Head of Business Continuity and Resilience. Returning to Australia in 2017, she worked in the NBN Co Risk & Resilience team. She has extensive experience and skill in helping organisations prepare for and respond to significant business disruption, and to thrive as a result.

Eugenia has a law degree from the University of Barcelona, a Master in Law from ISDE Business School and a Post Master in Technology Law from ESADE Business School. She is a ISACA Certified Information Systems Auditor (CISA) and a Data Privacy Solutions Engineer (CDPSE) and a Qualified Associate Fellow of the Business Continuity Institute (AFBCI) where she volunteers. Eugenia is also a member of the International Association of Privacy Professionals (IAPP) and the Australian Information Security Association (MAISA) where she also volunteered. In addition to English, Eugenia speaks Spanish and French.

Chong leads services in Thought Leadership; Governance, Strategy and Transformation; and Privacy and Cyber Security Risk Assessments across multiple industry sectors and for both domestic and global organisations. Recent client engagements include:

• Conducting over 75 PIAs and Privacy Health Checks (PHCs) that improved clients’ privacy capability and uplifted governance and risk management across diverse sectors including government, retail, financial services, education, transport, health and law enforcement.
• Enhancing organisational assurance and trust by conducting tailored privacy and security audits and risk assessments driven by OAIC enforceable undertakings, audit office findings and legislative requirements.
• Delivering practical privacy, governance and data ethics advice across identity management, data sharing and linkage, de‑identification and open‑data initiatives, helping organisations design safer, more trustworthy data ecosystems (including whole-of-government data lakes, privacy enhancing technology evaluations and multi-agency national data asset programs).
• Leading AI risk assessments and strategic advisory for multiple public‑sector and enterprise initiatives, evaluating algorithmic decision‑making, data governance, model training pipelines and privacy impacts to help organisations deploy AI‑enabled systems safely, ethically and in compliance with regulatory expectations.
• Guiding commercial and government organisations through accreditation under the Australian Government Digital ID System and DATA Scheme, shaping governance controls, refining assurance evidence, and helping clients navigate complex technical and regulatory requirements.

Chong is a regular contributor to privacy and data governance thought leadership. He has written on privacy law reform, Privacy by Design, trust, accountability, cross‑border data flows, and the governance of emerging technology for Microsoft, the National Centre for APEC, iappANZ, and the Institute of Electrical and Electronics Engineers. Along with Malcolm Crompton and Michael Trovato, he co-authored The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Chong is a member of the Australian Information Security Association (MAISA), the ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP). He is a graduate of Sydney Law School (Hons 1). He also holds an Honours Degree in Psychology and a Master of Teaching from the University of Sydney.

Natasha led the privacy impact assessment (PIA) work on the administrative data use by the Australian Bureau of Statistics and the data sharing scheme proposed under the Data Availability and Transparency Bill.

In addition to conducting numerous PIAs at IIS, Natasha has also led research on projects examining emerging privacy issues and regulatory responses. This has included options for international privacy regulatory harmonisation for a global digital platform, as well as research on the international regulation of digital platforms for the Office of the Australian Information Commissioner.

Prior to her time at IIS, Natasha worked for a decade at the federal privacy regulator during which time she engaged on a wide range of privacy issues, particularly in relation to new technologies, data analytics, de-identification, electronic health records and APEC privacy enforcement cooperation.

She was a member of the secretariat supporting the Government 2.0 Taskforce. During a secondment to the New Zealand Office of the Privacy Commissioner, Natasha drafted a major research paper and guide on privacy and CCTV. In 2008 she was awarded an Australia Day Achievement Medallion for her work supporting the Australian Privacy Commissioner.

Along with an in-depth knowledge of privacy regulation, Natasha has expertise in information law and policy more generally including freedom of information law and trends in open government.

Natasha holds a Bachelor of Arts (Hons 1) from the University of Sydney. She has also completed training courses on Fundamentals of internal audit; Administrative power and the law; Machinery of Government; and Policy Formulation.

Natasha is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

Alexander has led and assisted engagements for a wide range of public and private clients from various industry sectors. He provides services in Privacy and Cyber Security Health Checks, Privacy Impact Assessments, Vendor Management and Third-Party Risk Assessments, as well as Privacy and Security by Design.

Recent engagements that Alexander has been involved in include:

• Conducting a series of assessments for the internal audit function of a large ASX-listed healthcare provider to evaluate its cyber security maturity against the NIST Cybersecurity Framework.
• Cyber security health check for a professional services firm handling sensitive information.
• Advice to the privacy function of a national property service provider to develop a systematic assessment process for engaging third party vendors.
• Internal audit assessment of the cyber security maturity of a national professional services governing body.
• Various privacy engagements, including PIAs and privacy health checks for NSW and Victorian government departments and agencies, and ASX-listed companies.
• Various security engagements, including a comprehensive assessment against cybersecurity industry standards for a project within a Victorian Government agency, and audit on the implementation of a NSW Government agency’s data handling practices.

Prior to joining IIS, Alexander worked at international law firm Herbert Smith Freehills. As a lawyer in the Private Equity practice group he advised clients on a variety of transactions including capital raisings, mergers and acquisitions. Alexander also has extensive international business experience having worked at a multinational IT service provider in Paris, a private equity firm in New York, a top-tier tax consultancy in Berlin, and time working within international political organisations including the Human Rights division of the United Nations and SME division of the OECD.

Alexander holds a Bachelor of Commerce and a Juris Doctor degree from the University of Sydney. Alexander was admitted as a solicitor to the New South Wales Supreme Court in 2016. He is a Member of the Australian Information Security Association (MAISA), ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP). He is also an ICG Accredited Professional.

In addition to English, Alexander speaks German.

She has a proven track record of partnering with government and corporate clients to provide services such as Privacy by Design, Third Party Risk Management and Privacy, Cyber and Internal Audit Risk Assessments. Gabriella demonstrates a genuine commitment to helping organisations navigate complex challenges by designing frameworks that foster compliance, accountability, resilience, and sustainable growth.

Relevant client engagements include:

• Numerous detailed assessments to evaluate clients’ general privacy management capability, people awareness and culture, the types of information held, the technologies that collect and use such information, and how third parties with access to the information are managed.
• Mapping of privacy laws of 24 jurisdictions to identify common legal requirements and support the creation and review of documentation for clients with a global presence.
• Executed audits of ISO/IEC 27001 (Information Security Management Systems) controls, enabling clients to strengthen information security by addressing people, processes, and technology.
• Participated in the Privacy by Design Awards 2023 research project, collecting data on consumer brands and analysing their performance against the seven Privacy by Design Principles. This research won the Australian Information Security Association (AISA) Cyber Security Researcher of the Year Award in 2022.
• Extensive experience in reviewing, interpreting, and managing service agreements to ensure compliance, mitigate risk, and support organisational objectives.

Gabriella holds a Bachelor of Laws and a postgraduate specialisation in Civil Law. Her academic background provides a strong foundation in regulatory frameworks and enhances her ability to translate complex legislative requirements into practical strategies for diverse organisational contexts. Gabriella has also completed advanced training in cyber risk management and is a Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP). She is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Gabriella speaks Portuguese.

Prior to joining IIS, Jacky worked as a research assistant and Project Officer for Professor Kimberlee Weatherall, who is a Chief Investigator with the ARC Centre of Excellence for Automated Decision-Making and Society, and Fellow at the Gradient Institute. Jacky contributed to research in the interaction between commercial/private law doctrines and potentially harmful practices of surveillance capitalism and data misuse. Through this, Jacky worked on consultation responses to various proposed changes to the privacy landscape such as the Australian Government Digital Identity System and the Trusted Digital Identity Framework.

Jacky also worked as a consultant in the Risk and Regulations team of PwC Australia, where he was involved in engagements with high profile financial institutions providing assurance for corporate risk management processes in line with APRA Prudential Standard CPS 220 Risk Management. Further, he advised C-Suite executives of insurers and superannuation trustees on the implementation of new financial laws and regulations such as the Financial Accountability Regime. Jacky also worked closely with several banks to develop and streamline their breach reporting processes, optimising for efficiency and accuracy.

Furthermore, Jacky has experience as a paralegal in the insurance law sector where he acquired extensive experience in legal research and gained proficiency with interpreting legislation and government guidance updates.

Jacky holds a Bachelor of Science and Laws from the University of Sydney. He is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Jacky speaks Chinese (Mandarin).

Caspar brings a practical and multidisciplinary approach to his engagements, with experience in regulatory compliance, Privacy by Design (PbD), privacy impact assessments (PIAs), and stakeholder engagement at operational and strategical levels. Caspar is committed to making privacy and data protection understandable and relevant at every level of an organisation and is particularly motivated by bridging legal and technical domains in privacy practice.

Prior to joining IIS, Caspar worked in the Netherlands as a Privacy Consultant / Privacy Officer, primarily supporting governmental bodies and commercial organisations. In his previous role, he was part of a team that delivered over 150 DPIAs for a single public sector client. His responsibilities included developing internal privacy frameworks, data breach protocols, drafting data processing agreements, and embedding privacy by design and default into complex digital systems.

In addition to his legal and governance focus, Caspar has experience advising technical safeguards such as cryptographic hashing (e.g. SHA-256), supporting ISO/IEC 27001, information security standard compliance, and developing data breach protocols. He has also delivered privacy awareness training and supported vendor risk assessments and data governance planning.

Caspar holds a Certified Information Privacy Professional / Europe (CIPP/E) certification with the IAPP. He has also completed a wide range of privacy courses such as in-depth DPIA training, Privacy Officer training and a course about the European AI Act. He has also completed multiple OneTrust training programmes on privacy automation, including the development of automated DPIAs, PIAs, and Data Subject Requests.

In addition to English, Caspar speaks Dutch and German.

He has assisted in projects including:

• Project-managing the development of the OAIC’s first major position and issues paper on Australian Government Information Policy, published on the opening of the new Office
• Australian Bureau of Statistics – Designing a tailored privacy management plan for the ABS and conducting privacy impact assessments with respect to the use of census data for sampling purposes
• A Large Hospitality, Resort, and Entertainment company – Reviewing Membership Programs and mapping out data flows with respect to its Sales’ Systems, and followed up with designing training programs
• A Global Strategy Consultancy – Researching and providing advice in the transferring of personal information or health related data to a different database
• Cancer Institute NSW – Conducting a PIA with respect to the releasing of a new platform which allows GP to get automatic updates from Medicare
• Austroads – Assisting with a PIA to evaluate the privacy impacts that may be associated with each state and territory road transport agency using the Face Matching Services provided by the National Facial Biometric Matching Capability
• Australian Institute of Company Directors (AICD) – Contributing to the The New Governance of Data and Privacy, a book co-authored by Malcolm Crompton, Michael Trovato, and Chong Shao.

Joshua holds a Hong Kong Lawyer License and is based in Hong Kong.

Before joining IIS, Joshua worked for the Privacy Commissioner for Personal Data, Hong Kong and was posted to the Policy and Research Division. He was directly supervised by the Privacy Commissioner of Hong Kong and was tasked with research projects relating to the European Union General Data Protection Regulation (GDPR), and emerging technologies such as electronic mobile payments, video analytics and location tracking, etc.

Joshua is a recent graduate from the Chinese University of Hong Kong, holding a Juris Doctorate degree with a scholarship and a Bachelor of Social Science (First Class Honours) in Sociology. He is a member of the International Association of Privacy Professionals (IAPP).

In addition to English, Joshua speaks fluent Chinese, Spanish and Cantonese.