Sarah Birkett
PartnerSarah leads our Australian data, privacy and cybersecurity practice, with over 187 years’ experience advising clients across Australia and the UK. She specialiszes in helping global organiszations manage complex data compliance challenges, particularly in relation to user identity systems, cross-border data transfers, and IP-rich digital platforms complex, cross-border data issues, combining deep regulatory expertise with a practical, commercial approach.
Her expertise spans cyber incident response, privacy risk management, AI and regulatory engagement, including under Australia’s Notifiable Data Breach regime. Sarah also works proactively with clients to strengthen cyber resilience through breach simulations, policy reviews, and governance frameworks.
Sarah regularly advises on the application of the Australian Privacy Principles in diverse contexts – from market entry strategies for overseas entities to structuring data-heavy commercial transactions. She provides clients with hands-on experience in navigating the Australian regulatory framework, including in the context of market entry strategies and technology-enabled transactions. Her work also includes negotiating privacy data and IP terms in technology deals, R&D collaborations, and digital asset transfers commercial agreements, particularly for clients in the life sciences and insurance sectors.
With a practical, business-aligned approach clear focus on outcomes, Sarah helps clients navigate regulatory complexity while protecting data, IP, and reputation is known for delivering clear, commercially focused solutions that align regulatory compliance with broader business objectives.
EXPERIENCE
- Conducting privacy audits for multinational businesses, including a global food and beverage manufacturer, pharmaceutical companies and a global consumer goods manufacturer. This involves assessing privacy and data handling practices through tailored questionnaires and workshops, and delivering practical, risk-based recommendations to enhance compliance and strengthen organisational data governance.
- Advising a global reinsurer on management of a data leakage incident involving sensitive commercial and personal data. This included liaising with insurance and privacy regulators in multiple jurisdictions.
- Advising a security and facility services company on its response to a ransomware attack involving large-scale data exfiltration. This included managing regulatory engagement and notification strategies, and supporting the client in responding to and resolving complaints from affected individuals, whilst seeking to minimise regulatory exposure and operational disruption.
- Conducting privacy impact assessments for a range of private and public sector organisations, helping clients to identify and mitigate privacy risks arising from the introduction of complex technology solutions and new business processes.
- Co‑authoring a report with the British High Commission on the regulatory and procedural challenges associated with overseas transfers of personal data in the absence of an Australia–UK adequacy decision. This included working with a range of government, industry and international stakeholders to assess current barriers and outline the potential impact of reform.
- Advising a range of national and international clients on compliance with direct marketing and spam laws across omni-channel campaigns, including correspondence with the regulator, the Australian Communications and Media Authority (ACMA), following consumer complaints.
- Conducting a bespoke cyber incident simulation workshop for a global pharmaceutical company.
- Advising insurance companies on the application of Australian Prudential Regulation Authority (APRA) regulations relating to information security and operational resilience, and drafting and negotiating commercial terms relating to data sharing.
- Providing advice on the application of privacy and surveillance laws including in respect of workplace surveillance schemes and to the State of Victoria in respect of its COVID-19 response.
- University of Nottingham (England), Bachelor of Laws (Hons), 2005
- Nottingham Law School (England), Legal Practice Course, 2006
Publications
- Global Perspectives on FemTech – Europe, Australia, and the United States, 6 May 2026
Sarah is a regular contributor to DLA Piper's Privacy Matters blog:
- Exposure draft of Children’s Online Privacy Code signals tougher standards, 2 April 2026
- Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance, 17 February 2026
- Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages, 16 January 2026
- Australian Clinical Labs ordered to pay AUD5.8 million following cyber incident, 21 October 2025
- Facial Recognition Technology Continues to Breach Australian Privacy Act, 23 September 2025
- Scraping the barrel – when data scraping breaches the Privacy Act, 8 September 2025
- Privacy Act amendments and Cyber Security Act become law, 5 December 2024
- In-Store Facial Recognition Tech Breached Privacy Act, 22 November 2024
- Australia’s Cyber Security Strategy in action – three new draft laws published, 11 October 2024
- Anti-scam measures and ransomware reporting on the agenda, 11 September 11 2024
- Long awaited Australian privacy reform comes to fruition, 13 September 2024
- Australia’s e-marketing expectations: When customers don’t give a spam, 5 August 2024
- Privacy Act Updates Expected in August 2024, 13 May 2024
Seminars
Sarah regularly presents at external conferences and leads client training and briefings to boards of directors. Recent sessions and topics include:
- WIN In-House Counsel Week 2026: Employment & privacy in the digital workplace: risks, reforms and practical strategies, 16 February 2026
- Kaseya Connect Asia Pacific - Navigating Cyber Law and Compliance in 2025, 30 October 2025
- WIN In-House Counsel Week 2025: Privacy and cyber – a new era, 20 February 2025
- Payments Forum - Cyber Legal Assurance, 14 November 2024
- Cyber Breach Simulation Workshop, 13 March 2024 (Brisbane), 9 May 2024 (Melbourne) and 23 November 2023 (Sydney)
- WIN In-House Counsel Week 2024: Insights from the trenches - top tips for managing (and avoiding) cyber incidents, 22 February 2024
- Webinar: Strengthening your organisation's cyber resilience, 23 October 2023
- WIN In-House Counsel Week 2023: Data governance and cyber security – risk management for the digital age, 23 February 2023 (Melbourne) and 2 March 2023 (Brisbane)
- WIN In-House Counsel Week 2021: The wandering workforce – cyber security and privacy, home offices, WHS and other employment law bear traps, 25 February 2021
- WIN In-House Counsel Day 2020: Data breaches – a practical guide, 19 February 2020 (Brisbane) and 20 February 2020 (Melbourne)
Memberships And Affiliations
- Law Society of England and Wales
