Reflections on Privacy Awareness Week 2026: Building Trust Through Privacy Complaint Resolution

The Office of the Australian Information Commissioner’s theme for Privacy Awareness Week 2026 is: ‘Trust is built here. In every privacy complaint. In every resolution.’

This theme highlights the critical role that privacy complaint handling plays in strengthening public confidence in how organisations manage their personal information. It signals a growing regulatory expectation that organisations move beyond a mere compliance focus towards treating privacy complaints as trust-building moments.

To explore this theme in practice, during Privacy Awareness Week we asked Intellectual Property and Technology partners, Dudley Kneller and Sinead Lynch, to share their perspectives and experiences on the importance of trust in complaint handling, common organisational challenges, and the trends shaping privacy in the year ahead.

Key takeaways:

• Trust is a defining outcome of complaint handling. Privacy complaints are no longer just risk events. They are critical customer experience moments that directly influence commercial outcomes.
• Customer-centricity with a genuine intent to understand the complaint is best practice. Organisations that approach privacy complaints with a genuine intent to understand and resolve issues – rather than to simply manage risk and comply with the law – achieve better customer outcomes, reduced escalation, and stronger regulatory positioning.
• Privacy complaints can be a source of strategic insight. Leading organisations treat complaints as valuable data points, using them to identify systemic issues, improve governance, and refine products and services.
• Regulatory expectations are shifting away from “tick-box” compliance tasks towards demonstrable outcomes. The OAIC’s focus on complaints handling signals a shift in regulatory expectations for complaint handling and results, including resolution quality, timeliness, and the management and mitigation of systemic harms.

We discuss these insights in further detail below.

1. How important is customer trust in privacy complaint handling?

Trust is critical to effective complaint handling and resolution, not only from a regulatory perspective, but as a core driver of customer loyalty. As Sinead explains, “customer trust is the difference between a customer staying with a business long-term or moving to their competitor.” She further notes that “good privacy complaints handling is not only important in terms of building customer trust, but also critical in terms of customer retention and loyalty.” Dudley recommends that “organisations that don’t just have the right policies and procedures on paper, but actually embed them into who they are and how they operate, are far better placed to manage customer complaints when they arise.”

This reflects a broader shift in how privacy complaints are understood. Rather than being treated as risk events with a templated approach or an operational afterthought, organisations increasingly recognise them as critical customer experience moments with measurable commercial impact.

2. What distinguishes good practice from poor practice in privacy complaint handling?

Privacy complaint handling often falls short due to a lack of meaningful engagement with customers. Dudley notes that organisations which handle complaints poorly frequently “fail to respond in a timely way – or sometimes don’t respond at all,” while Sinead highlights emerging evidence of a ‘trust erosion loop,’ driven by both the underreporting of concerns and dissatisfaction with how complaints are ultimately resolved.

Against this backdrop, both caution against an overly legalistic or process-driven approach to complaint handling. Such approaches can inadvertently escalate disputes and foster adversarial dynamics, undermining the opportunity to build trust and resolve concerns effectively.

In contrast, they advocate for a ‘customer-centric approach’ to complaint handling which seeks to understand and address the customer’s complaint. Dudley observes that organisations that respond promptly, openly, and with a genuine desire to resolve the customer’s concern (rather than simply manage risk) tend to see matters de-escalate.

Adopting this customer-centric approach also delivers clear operational benefits. Sinead notes that organisations can treat privacy complaints as valuable insights into underlying issues, using them to improve processes, enhance data and privacy governance, refine products and services, identify repeat and systemic issues, improve staff training, and product/service design. Dudley reinforces this view, observing that such an approach leads to better customer outcomes, less regulatory attention, and a more efficient complaint handling process overall.

3. What are common pain points in privacy complaint handling processes, and how can organisations address them?

A common underlying issue is that organisations often prioritise process efficiency or compliance over meaningful customer engagement.

Dudley highlights the risks of reluctance to engage with customers directly, and over-reliance on automated or templated responses to privacy complaints, which can do more to frustrate customers than resolve the issue, and can quickly escalate what might otherwise have been a manageable concern. He emphasises the importance of having clear, accessible, and plain language complaint processes that enable consistent, timely and meaningful responses.

Sinead extends this point by identifying a broader structural issue: complaint handling is often treated as a ‘tick-box’ or ‘compliance task’ rather than a genuine engagement process. This often results in:

• Process-driven responses focused on internal policies rather than customer outcomes
• Fragmented ownership, with complaints passed between teams within an organisation and
• Inconsistent handling of repeat issues, leading to systemic risks.

To address these challenges, Sinead and Dudley highlight the need for:

• A customer-centric approach: Complaints should be easy to raise, transparent and fair in handling, clearly linked to privacy rights and owned by the organisation from start to resolution.
• Investing time up front: Where organisations invest time up-front, complaints are easier to manage and far less likely to escalate.
• Centralised triage and accountability: Ensuring high-risk matters receive appropriate attention while simpler issues are resolved efficiently and avoiding passing complaints from handler to handler where possible.
• Strong governance and systems: Including mechanisms to identify repeat and systemic issues early, before they escalate, and designing responses around customer facing outcomes as opposed to ‘company policy’.
• Using complaints as insight: Organisations should analyse anonymised complaint data to improve processes, training, and product design.

4. What key privacy trends will shape the year ahead, and how can organisations prepare?

Looking ahead, there is a trend towards greater regulatory focus on accountability, transparency, and outcomes.

There is a growing convergence of AI, privacy, and governance, particularly in light of upcoming changes around automated decision-making in December 2026. Organisations that proactively consider transparency, accountability and how decisions can be explained will be far better positioned than those that attempt to build trust retrospectively.

• A shift from compliance to action

Regulators are increasingly focused on operational behaviours and outcomes, particularly in relation to systemic harms. Sinead highlights that the OAIC will expect organisations to focus on operational response and behaviour (rather than static privacy compliance) and will be taking a more enforcement-based posture. Dudley recommends that the difference will come down to preparation: organisations that think about these outcomes early will be better placed.

Organisations should also expect clearer expectations around both resolution quality and timeframes.

• AI and data use under scrutiny

The use of personal information in AI systems remains a major regulatory priority. Growing AI adoption will challenge organisations in different ways: some will see it as an opportunity to build trust through transparency with customers, while others may struggle where technology is rolled out before appropriate governance frameworks are in place. Organisations must ensure they have a clear understanding of their AI use cases and implement structured governance and risk assessment frameworks to ensure responsible use.

Further OAIC guidance and targeted regulatory activity is expected where high-risk AI models or systems are being used.

• Children’s privacy reforms

The anticipated Children’s Code is expected to be finalised by the end of 2026. These reforms are likely to have implications beyond the handling of children’s data alone, effectively raising the overall privacy compliance baseline. Many organisations may find it more efficient to apply these higher standards across their entire privacy environment.

• Ongoing focus on tracking and ad-tech

Tracking technologies, including cookies and pixels, remain a firm regulatory focus for the OAIC. Sinead notes regulatory attention is continuing to test how organisations disclose and use data for marketing and analytics purposes. This requires organisations to ensure transparency, appropriate consent mechanisms, and alignment with stated purposes, particularly in marketing and analytics.

Across all of these areas, preparation is key. Organisations must move beyond compliance-led approaches to privacy complaint handling and adopt practices that are transparent, accountable, and genuinely customer-focused. This will enable organisations to meet evolving regulatory expectations, but also unlock long-term value through improved customer relationships, stronger governance, and more resilient systems.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by: 

Dudley Kneller, Partner
Sinead Lynch, Partner
Katherine Boyles, Senior Associate
Precious Guma, Graduate