Does the GDPR apply to businesses in Australia?

It’s been more than two months since the EU’s GDPR (General Data Protection Regulation) was enforced, so we thought we’d take a look at the impact the Regulation has had on organisations across Australia.

What is the GDPR?

You’ve more than likely had your inbox flooded over the past few months with emails notifying you of new privacy policies and asking for your consent. This is all because of the GDPR.

The Regulation came into effect on 25 May 2018, replacing existing data protection laws across the EU.

It expands the rights of EU residents to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data privacy and protection.

Australians will be receiving these emails as the GDPR applies to personal data processed by all EU organisations, including non-EU residents data.

GDPR compliance involves adopting a risk-based approach to data protection, ensuring you have policies and procedures in place to deal with transparency and accountability requirements, and protect individuals’ rights.

Download our free green paper ‘EU GDPR – A Compliance Guide’ for more information on the changes introduced by the Regulation >>

Does the GDPR apply to organisations in Australia?

Although the GDPR is an EU regulation, it can still apply to organisations in Australia.

To help decide whether the Regulation applies to you, consider the following:

  • Do you process EU residents’ personal data? It doesn’t matter where your organisation is based – if you process, store or transmit EU residents’ personal data, you will almost certainly be required to comply with the GDPR.
  • Are you engaged in economic activity? The GDPR states that processing has to be part of an “enterprise”. It doesn’t apply to people processing personal data for exclusively personal or household use – for example, if you keep friends’ contact information on your computer.

The GDPR, Australian Privacy Act 1988 and NDB scheme

In our recent blog, The Australian NDB scheme and the EU’s GDPR, we noted several similarities between the GDPR and national laws in Australia.

The technical and organisational measures you implement to achieve GDPR compliance will substantially help you comply with the NDB (Notifiable Data Breaches) scheme and the Privacy Act.

How to achieve compliance

Achieving compliance with the GDPR is not a matter of ticking a few boxes.

However, with the appropriate data protection compliance framework in place, you will be able to avoid significant fines and reputational damage, show customers that you are trustworthy and responsible, and derive added value from the data you hold.

For practical guidelines and solutions on how to comply, look at our GDPR compliance checklist.

Spend more than $300 on any of the books, toolkits, software, training and consultancy products listed in the GDPR compliance checklist in July and save 15% with the voucher code: GDPR-SAVE15.

See checklist >>


The GDPR - key steps for companies in Asia-Pacific. Our compliance checklist will take you through the essential steps.