Dr Susan Bennett
PhD, LLM (Hons), MBA, FGIA, FIP, CIPP/E, CIPT
Principal & Director
T: +61 (2) 8226 8682
E: susan.bennett@sibenco.com
Connect with Susan on LinkedIn
About
Providing governance advice and solutions at the intersection of data, technology and regulatory compliance
With thirty years of experience as a lawyer and advisor, Susan helps organisations grappling with the risks and challenges of regulatory compliance arising from technology (including AI) and the growing volumes of data, particularly personal data.
Susan delivers practical advice and responsive solutions to organisations across the following interconnected areas:
- Corporate Governance in the AI and Information Age: Integrated risk management and governance frameworks, policies and procedures to improve information flows to the Board to achieve organisational objectives and reducing risks arising from the use of new data-driven technologies, including AI, and evolving regulatory requirements, such as privacy, cybersecurity, AI and ESG.
- Information and Technology (AI) Governance: Developing, aligning and integrating best practice policies and processes into the overarching risk management framework to achieve improved regulatory compliance and risk management, reducing risks while maximising the strategic benefits of data-driven technologies.
- Data and Information Lifecycle Management: Improving data lifecycle management through policy, people and technology alignment, encompassing data collection, management, record retention and, importantly, disposal of data that is no longer needed. The benefits include improved regulatory compliance and improved data quality for decision-making throughout the organisation, including for risk and audit committees and the Board.
- Privacy and PIA/DPIA: Policies and procedures to comply with privacy requirements, privacy impact assessments, (including ethical AI and PIA/DPIAs), privacy-by-design, critical incident planning and data breach response.
- Workshops and Presentations: Providing topical and engaging sessions to assist Boards, senior executives and multi-disciplinary teams on a range of topics tailored to meet the organisation's specific requirements and strategic objectives arising from the intersection of data, technology and regulatory compliance.
Helping organisations to meet regulatory compliance obligations, improve risk management and achieve overarching strategic objectives using data-driven technology
Susan brings her deep business, technology and litigation expertise to reduce risks and enable organisations to achieve their strategic objectives using data-driven technology. In particular, Susan works with:
- Executives across a range of functional areas and multidisciplinary teams (including legal and privacy, information technology, cybersecurity, AI and technology innovation, records management, data and information management, risk and compliance) to reduce risks arising from data use and storage, regulatory compliance failures and broader ethical and sustainability issues (ESG) arising from the use of data.
- Boards and C-Suite executives to improve overarching corporate information governance, enabling better information flows to the risk committee and Board for sounder decision-making. This allows Directors to better assess the interconnected risks arising from data, technology and regulatory compliance (including ESG) in accordance with the organisation’s risk appetite statement and risk management framework.
Background
Litigation, business and technology expertise enabling front-end governance services and solutions to reduce data risks and costs and improve information flows to the Board
Prior to establishing Sibenco and InfoGovANZ, Susan was a commercial litigator for 20 years (including as managing and senior partner at a national law firm), leading large-scale, complex disputes, regulatory investigations and Royal Commissions. Deeply steeped in technology, Susan has been at the forefront of leveraging evolving eDiscovery technologies to reduce the cost and burden in and beyond ‘discovery’ in legal proceedings. As the volume and complexity of data has grown, this technology has evolved to include machine learning and AI, with use cases expanding to data breach response, and FOI and access requests under privacy laws.
Bringing deep legal, commercial and technology expertise to tackle and reduce data risks and costs
Susan brings her technology expertise to help clients reduce volumes of redundant, outdated, and trivial (ROT) data, improve systems, and reduce costs in responding to privacy and FOI requests. This is a growing challenge and significant cost for organisations arising from the prolific growth in data being stored by all organisations, which arises from:
- Legal and Regulatory Proceedings - the substantial expense of document preservation and production associated legal disputes, responding to cyber incidents/data breaches, identifying disclosed personal data for regulatory compliance purposes, and FOI responses.
- Over-retention of data - the problem and costs of over-retaining personal information in the event of a data breach and privacy compliance failures, the increasing cost of storing/managing data, particularly when significant amounts are ROT.
- Record-keeping - the challenge of complying with a myriad of regulatory requirements to maintain records for specified periods and the challenge of implementing robust and ongoing disposal to securely dispose of data and records following record-retention obligations and privacy regulations to keep personal data for no longer than required.
- Cybersecurity regulations - require data, particularly personal information, to be adequately secured with appropriate risk management, policies and processes.
- Privacy regulations - following the European Union’s adoption of the landmark GDPR (General Data Protection Regulation), with its extra-territorial reach, regulators globally are taking enforcement action against organisations in breach of privacy regulations, requiring organisations to ensure they have in place robust policies and processes to adequately secure and protect personal information including secure disposal or de-identification of old data.
Thought leadership - developing best practices for data, technology and regulatory compliance
Susan regularly speaks at events both in Australia and internationally, and is an established author – see recent presentations and articles below. Since the late 2000s, she has been a sought-after authority on the challenges arising from the growing volumes of data being retained by organisations. Focusing on ‘Information Governance’ as a way of governing the growing volumes of data from collection to disposal and working with U.S. legal think-tanks, Susan’s 2015 key paper, ‘Why Information Governance needs top-down leadership’ (published in Governance Directions, the official journal of Governance Institute of Australia) helped establish Information Governance as integral to overall corporate governance to effectively maximise the value of data and information while minimising the associated risks and costs.
The need to provide resources to educate and connect professionals dealing with increasing data and information risks, particularly arising from data breaches, together with the emerging privacy regulatory compliance challenge for organisations, led Susan to found InfoGovANZ. InfoGovANZ‘s mission is to enable more connected thinking across organisational silos and to improve data privacy, information security and overall decision-making. This includes those areas and professionals working across the data and information sphere – Data Privacy, AI and Ethics, Cyber and Information Security, eDiscovery, ESG, Data, FOI, Information Governance, Legal, Records Management, Risk and Compliance.
Susan’s interest and desire to help organisations with the interconnected challenges arising from personal data, technology and regulatory compliance, led her to undertake research and complete a doctoral thesis, which lays out the theory of effective information governance based on corporate interviews evidence, enabling data and information to be safely leveraged as a business asset, while ensuring compliance with privacy and other information regulatory and legal requirements (see thesis abstract below). Susan's research and findings provide a practical governance solution to assist organisations in achieving data and privacy regulatory requirements, while pursuing strategic organisational objectives in complex and data-driven operating environments.
Qualifications and Admissions
Susan holds an Unrestricted Practising Certificate New South Wales, Australia and is admitted to the Supreme Court of New South Wales and the Federal Court of Australia and High Court of Australia.
Susan completed her Doctor of Philosophy at the University of Sydney Law School on 'Privacy and Data Protection: the interaction of meta-regulation and information governance.'
Susan also holds a Master of Business Administration (AGSM) and a Master of Laws (Syd) and is a Certified Information Privacy Professional - Europe (CIPP/E) and a Certified Information Privacy Technologist (CIPT).
Susan is a Fellow of the Governance Institute of Australia (FGIA), a Fellow of the International Association of Privacy Professionals (FIP), a member of the Asian Privacy Scholars Network (APSN), a member and graduate of the Australian Institute of Company Directors (AICD) and a member of the EDRM Global Advisory Council.
Speaking Engagements
Susan is an experienced speaker and presenter, providing interactive workshops at all levels helping multi-disciplinary teams to board presentations. She presents regularly at conferences both within Australia and internationally and InfoGovANZ events.
- Panelist, AI, STEM and the Future of Work, Old Ignatians' Dialogue, Sydney, June 2024
- Co-presentation, Are you 'Asleep at the Wheel' for Information Governance?, Legal Innovation and Tech Fest, Sydney, May 2024
- Panelist, Best Practices for Building and Enforcing Global Retention Schedules, (virtual), IAPP (U.S.), March 2024
- Presentation, Data Privacy and Cybersecurity, In-House Conference: Managing Risk, Sydney, Legalwise, March 2024
- Co-presentation, AI Risks, Failures and Consequences: Corporate Governance for the AI Era, Society of Corporate Law Academic Conference, February 2024
- Presentation, Cybersecurity: Lessons from high-profile data breaches, InfoGovANZ, December 2023
- Presentation, Information Governance Keys to Success, InfoGovANZ, November 2023
- Presentation, AI Regulations, Frameworks and Standards: The Governance Challenge for Organisations, London (virtual presentation), Information Law and Policy Centre, University of London, Human in the Machine: Digital Rights and AI, November 2023
- Presentation, Information Security: improving cybersecurity defences through governance, Australia-India Cybersecurity Leaders International Symposium, Sydney, September 2023
- Co-presentation, AI Risks in the Financial Sector: Consequences for Companies and Directors, The University of Sydney, Law School, Sydney, August 2023
- Moderator, Is Information Governance Still Stressing Your Organisation in 2023? American Bar Association Cross Border Institute, Paris, July 2023
- Presentation, AI and Privacy Risks in the Financial Sector: Consequences for Companies and Directors, Privacy, Law and Business Conference, St John’s College, Cambridge, July 2023
- Presentation, AI and Data: Key Issues for Directors, Women on Boards, June 2023
Click here for more speaking engagements
Publications
Susan's PhD thesis: Privacy and Data Protection: the interaction of meta-regulation and information governance (University of Sydney, Law School)
Abstract: The collection and storage of exponential volumes of personal data give rise to significant opportunities and risks for organisations. The thesis examines the challenge of controlling personal information from the standpoints of the regulator and the regulated organisation. First, the thesis analyses the regulatory design of Australia’s Privacy Act 1988 (Cth) and the European Union’s General Data Protection Regulation involving the use of principles-based and meta-regulation that devolves the design and implementation of compliance mechanisms to regulated organisations. Second, from the organisational perspective, the thesis examines the challenges for corporate governance when boards must grapple with multifaceted strategic opportunities and risks arising from the intersection of technology, data, and regulation. Based on interview evidence, it develops a theory of effective information governance, which enables data and information to be safely leveraged as a business asset, while ensuring compliance with privacy and other information regulatory and legal requirements. The findings are intended as a practical governance solution to assist organisations in achieving data and privacy meta-regulatory requirements, while pursuing strategic organisational objectives.
Susan's articles
- Submission on the Adoption of AI in Australia
- Dark Data – the risks, costs and ESG
- The use of WhatsApp and messaging record-keeping failures: the massive fines keep coming
- Information Lifecycle Management: what is it and how it reduces risk?
- Optus Data Breach – the risks of data over-retention
- The Primer on eDiscovery in the Asia Pacific (APAC) Region
- The Information Governance Primer – a comprehensive guide to build and improve information governance within organisations
Click here for more articles and publications
Career Overview
Sibenco Legal & Advisory | Principal and Director (2012 to date) |
InfoGovANZ | Founder and Director (2016 to date) |
The University of Sydney | Adjunct Lecturer, Law School (2021 to date) |
Sparke Helmore | Sydney Managing Partner (2010-2011) Partner and National Group Leader, Commercial Litigation & Dispute Resolution Group and the Legal Technology Support Group (2003-2011) |
Consultant | Consultant on large high-profile commercial litigation disputes (2000-2002) |
Middletons (now K&L Gates) | Senior Associate, Dispute Resolution and Commercial Litigation Group (1997-2000) |
Phillips Fox (now DLA Piper) | Solicitor, Construction Group (1995-1997) |