Emma is a Principal Consultant at ctrl:cyber, working across privacy, data risk, and AI governance. She partners closely with organisations to bring clarity to how data is handled and where risk sits, supporting more considered, confident decision-making.  

Beyond her expertise, Emma is a joy to work alongside, and she creates an environment where collaboration feels natural and complex conversations feel manageable.  

In this edition of Ctrl In Focus, Emma shares her perspective on the work, what she’s seeing across organisations, and how privacy comes to life in practice. 

 

Q. Tell us about your role at ctrl:cyber. What does your day-to-day look like?    

A. I’m a Principal Consultant at ctrl:cyber across Privacy, Data Risk and AI Governance. Day-to-day, I’m working with key clients, supporting them in protecting their company’s data and maturing their privacy programs. You might catch me meeting with privacy, data and AI governance leaders, helping them decide where to focus their uplift efforts, overseeing Privacy Impact Assessments (PIAs) for complex data handling activities, or coaching our team to help deliver high-quality work.   

   

Q. What part of your work do you find most rewarding?  

A. I really love the relationship building side of my role. Privacy is about people. Not just the people whose personal information is being handled, but also the people handling that personal information and making decisions about how it is used, shared and stored within an organisation. I enjoy getting to know our clients and understanding the different tensions and priorities within their business.   

  

Q. What first got you interested in privacy?  

 A. I discovered privacy as a grad. I was initially attracted by the exciting stories of data breaches and data commercialisation. After years of experience, I’m no longer excited by data breaches (or “Friday afternoon specials” as they are often known”), but thankfully I’ve found lots of other topics of interest, like advanced analytics and digital marketing.   

  

Q. What’s one misconception about privacy that you see often?  

 A. That privacy is “the department of no”. I prefer to think of privacy as the department of “here’s how”. There is usually a way to achieve business objectives in a privacy compliant and trust-retaining way. It often requires a “privacy-by-design” approach and some foresight, so engaging with a privacy expert early is the best way to meet business goals and not land in regulatory hot water.  

  

Q. You’re an IAPP Advisory board member – what does that involve, and what does that role give insight into?  

A. I was delighted to join the IAPP ANZ Advisory Board this year, after serving 4 years as a co-chair of the Melbourne IAPP KnowledgeNet chapter. The IAPP ANZ Advisory Boards advises and supports the IAPP on strategic initiatives to support privacy and AI governance practitioners. I’ll be helping to steer the approach to conferences, education resources, developing relationships in the ANZ region and advising on the specific needs of ANZ based privacy and AI governance professionals.   

  

Q. What’s one early sign that an organisation’s approach to privacy isn’t working as it should?  

 A. If privacy is an afterthought, or a rubberstamp that is only sought at the end of a new project or initiative, then we know privacy isn’t working as it should in an organisation. Good privacy is embedded in business processes and advice sought early.   

  

Q. How do cybersecurity and privacy actually work together in practice  

 A. Very closely! In the Privacy Act, we have a whole principle (APP 11) dedicated to security of personal information, which requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We often look to our friends in cybersecurity to provide expert advice on how best to protect data. Unsurprisingly, we also work really closely when managing data breaches – cybersecurity helps to find out what happened and implement the right controls to fix the issue, and privacy helps to identify what harm might occur to individuals, and whether we might need to notify the people impacted and the regulator.   

  

Q. Why do they often operate separately, even though they’re so closely connected?  

 A. This is often a result of organisational structures. Cyber is frequently thought of as an IT function, and Privacy as a compliance function, which both have pretty different ways of working and usually sit separately. It’s valuable for the Privacy and Cyber teams to find a way to stay closely connected, leverage each other’s processes and expertise, and be an extra ear to the ground for each other. After all, both teams are working to protect data.   

   

Q. What’s one piece of advice you’d give to organisations trying to get a better handle on privacy and data risk?  

 A. Start by understanding what data you have, how you collected it, and what you’re doing with it. From there, you can start to identify your higher risk activities and prioritise your next steps, which might include assessing your data use and disclosures, destroying data you no longer need, uplifting your transparency practices or training your people (just to name a few). It’s easier to know what to do next when you have a clear understanding of where you are now.   

  

Q. What can we catch you doing outside of work?   

 A. Outside of work, you can find me walking my dog, Pickles, shooing him away from our veggie patch (he’s loving the Strawberries at the moment), or cooking up a storm in the kitchen to throw a dinner party for our friends.   

  

Q. What does ‘Cyber together’ mean from your perspective?   

 A. To me, protecting data is something that can’t be done by one person or team alone. It takes a collective effort, whether that be Cyber teams, Privacy teams, other business functions following the right procedures, and even customers taking steps to protect their own information. If everyone collectively pulls in the same direction, we have the best chance at protection.   

  

It’s not hard to see why Emma is such a valued part of the team at Ctrl. Her reflections show a thoughtful approach and a genuine ease in the way she works with others, both within the team and with clients alike. Her ability to navigate complex situations, while keeping people at the centre, is what makes her work so effective. It’s an approach that leaves a lasting impression, both in how teams work together and how organisations approach these moments. 

Read more Ctrl In Focus features