Regulatory Spotlight: ADMA’s Privacy and Compliance Course Instructor Lucy Hannah

In this series we highlight members of our community who are making a real impact in the complex and important world of regulation and compliance. Today we talk unconventional career paths, AI and advocacy with Privacy and AI lawyer Lucy Hannah, who is the instructor for ADMA’s Privacy and Compliance for Marketers course.

To start, could you share a little about your career to date?

I haven't taken a traditional career route. After I was admitted as a lawyer in NSW, I moved to London. It was 2017, the GDPR laws had just come into force, so everyone was in a panic wanting someone to come in and figure out what this regulation meant for them and what they had to do to comply.

I was happy to get in there and do that and it gave me the opportunity early in my career to work with some really large and interesting businesses like Conde Nast. I found I really enjoyed this area of law - it definitely wasn’t where I thought I would end up when I first qualified.

From there, I got involved with some pretty high-profile data rights lawyers and privacy consultants based in the UK and Europe at AWO Agency. I was working mainly with clients in the civil society and humanitarian action space who were processing large volumes of very sensitive personal information. This was great exposure to really complicated issues and highlighted the need for strong data protection and privacy regulation.

Since returning to Australia I’ve worked in-house at Volkswagen Group and most recently for EY.

What have been some of the professional highlights along the journey so far?

The whole GDPR experience was really interesting because there were so many huge companies trying to understand how these sweeping regulations impacted what they were doing in their day-to-day business. It was fascinating to work with different parts of businesses to understand how they were using data and learning about the world through that lens.

It taught me I enjoy giving really practical and risk-based compliance advice and creating solutions for clients that are actually workable and have meaningful outcomes for their customers or the individuals they are dealing with.

During my time at Volkswagen Australia, I established their data protection and privacy compliance program, which was a fantastic experience. I worked closely with various parts of the organisation, particularly the marketing and sales teams across all of Volkswagen’s brands.

It was a valuable opportunity to understand how a large organisation operates and being closely involved with the marketing and sales functions gave me deep insight into how marketers think and approach their work, which as it turns out is quite different from lawyers!

The regulatory landscape is rapidly evolving. What do you think are the most significant regulatory changes that are coming, and how do you see them impacting the industry?

Certainly the changes to the Privacy Act that have already been made and are in the pipeline are really exciting. They are putting more obligations on organisations to comply with the Act and putting more control into the hands of individuals about how their personal information is handled.

A raft of new and enhanced cybersecurity laws has also just come through Parliament and it's very exciting to see that these issues are really on the legislative agenda.

I am interested to see how the emerging guidance around the use, development and deployment of AI and LLMs plays out and whether we have a new regulator for these technologies and specific laws.

All of these changes really impact marketers and advertisers because their work is so data driven and they are right at the forefront of the customer and client relationship. It's crucial for marketers to understand and apply these principles and know when to reach out and get advice from the legal team or external counsel.

What do you see as the biggest challenges for marketers navigating today’s regulatory and consumer trust environment?

The regulatory landscape is changing so rapidly, it's a lot for marketers to keep up with and to really distill what those changes mean in their everyday work. Things like capturing consent, having effective unsubscribe links in marketing emails, being able to differentiate between marketing and service updates are essential.

Regulators, particularly the ACMA and OAIC are more powerful and more active and it's really keeping everyone in this space on their toes.

Most of the marketing teams I work with are really savvy about keeping up to date with regulatory change - it's also so important all of the third parties they engage and who are involved in the ad tech space are all in alignment and that the right hand knows what the left hand is doing.

I have seen issues occur when some piece of tech or third party who deploys an aspect of a marketing journey experiences an error or bug that ends up becoming either a Privacy or Spam Act breach and causing a real headache for the entire organisation.

Getting control of what you're doing with data, the third parties that you're sharing personal information with and addressing the issue of data retention are all absolutely fundamental.

What is one thing you wish marketers understood better about privacy regulation?

Be fair and reasonable in your information collection and marketing practices - consider whether you would be comfortable with your own personal information being used in this way.

Be transparent - make sure you're giving enough information to your customers about your marketing practices.

Get consent where you need to and always respect an opt out.

That was more than one thing, but they're all equally important!

What advice would you give to marketers looking to build their understanding in regulatory matters?

It's not about being perfect - it's about getting a handle on the law and having strong policies and processes in place in your organisation to make sure that you comply to the best of your ability and you have a plan in place to respond when things go wrong, like in the case of a data breach.

Complying with the regulation is a whole of organisation exercise, marketers are not and should not be alone in managing this. But they do play an incredibly important role in the design and effective deployment of information collection points and the notices and consent capture mechanisms that need to go along with that, where direct marketing material is going to be sent out.

Most organisations are going to need to heavily invest in identifying any privacy compliance issues and uplifting their privacy compliance position.

What do you think will have the biggest impact on data-driven marketing over the next five years?

Naturally it's the changes being made to the Privacy Act, the increased funding for and enforcement powers of the OAIC and our new Privacy Commissioner, Carly Kind. I'm very interested to see what sort of enforcement action is taken this year in particular.

Oh and the emerging regulation of the use of AI, LLMs and automated decision making when processing personal information.

Why do you think organisations like ADMA are so crucial for the marketing and advertising industry?

Marketing and advertising is an essential business practice which is crucial for business growth, and therefore vital to the growth of our economy. So, when regulating these practices, it's important that the role and practices of marketers and advertisers are really well understood by the government and the flow on effects of legislative decisions are carefully considered because they have the potential to have outsized impacts.

ADMA is therefore so important because it is taking feedback from all sides of the industry and synthesising that into a reasonable and responsible position to represent to law and policy makers. This ensures marketers’ voices are heard and understood.

Lastly, what do you enjoy doing outside of work?

I've just moved to Melbourne and I'm really enjoying exploring the city and spending time with my friends here - the live music, food, art, pub and sport scene is great. I am definitely missing the Sydney beaches though.

Lucy Hannah is the instructor for ADMA’s extremely popular Privacy and Compliance for Marketers course. The next course takes place on 26 March 2025 and you can register here.