The European Union’s General Data Protection Regulation (GDPR) has been in effect since May 2018.

In essence, it regulates ‘personal data’ of EU residents — from collection to use, retention, transfer and deletion.

The GDPR is a European Union regulation – so I shouldn’t be affected as an Australian business, right?  Not necessarily, but we’ll tell you why.

The GDPR doesn’t just apply to EU businesses. It applies to any business that processes and collects personal data from an individual who resides in the European Union.

We know with the rise of online businesses and services, some Aussie businesses are bound to be caught by the extra territorial scope of the GDPR and may have to comply with the GDPR — so let’s break it down.


Firstly, let’s understand how things are defined in the GDPR.

Processing: this could refer to the use of personal data. It could encompass anything from collecting data to destroying it, and is a catch-all word to cover any operations on personal data.

Personal data: this could refer to any data that can identify a living person directly or indirectly.

Data that identifies someone directly could include a person’s name, address, email address, IP address or location data. If data identifies someone indirectly, it means it’s possible to identify someone by cross referencing different sources of data. By itself, this data may not be able to identify an individual, but combined with other data your company possesses, it may help to achieve a positive identity match.

‘Sensitive’ personal data: this class of data should be handled with extra care. It could include race, health status, sexual orientation, religious beliefs, political beliefs, genetics or biometrics, to name a few.

Controller: this is someone who determines the purpose and methods of processing personal data (for example, you as a business decide to collect a first name, last name and email address as part of your ‘controller’ role).

Processor: this issomeone who manages personal data on behalf of a controller (for example, a processor could be a marketing company that uses personal data for promotional reasons).

Data subject: any individual in the EU whose personal data is processed.

Do You Need A GDPR Privacy Policy?

It is important to think about whether you need to be GDPR compliant as an Australian business.

Australian businesses may need to comply in two circumstances:

  1. If the business has an establishment in the EU. This applies regardless of whether the business collects and processes personal data (and irrespective of where it is processed); or

  2. If the business offers goods/services to EU citizens or monitors the behaviour of individuals in the EU.

The GDPR applies to the data processing activities of all businesses, regardless of size (which is somewhere the GDPR and the Australian Privacy Principles diverge — more on that below). 

What Businesses Need To Comply With The GDPR?

Some examples of Australian businesses that may need to comply with the GDPR include:

  • Australian businesses with an office in the EU
  • Australian businesses that target EU customers. This could include allowing customers to order goods and services in a European language other than English, or offering customers the option to pay in Euros
  • Australian businesses whose website refers to EU customers or users (e.g. if you have mentioned them in testimonials or reviews)

What Do You Need To Do To Be Compliant?

We’ve already written about some quick tips on how to be GDPR compliant. But, essentially, there are seven main data protection principles that need to be adhered to.

1. Lawfulness, Fairness and Transparency

This principle is pretty straightforward. Organisations need to make sure they are clear about the personal data they are collecting. To do this, your privacy policy should state the type of personal data you’re collecting and what you’ll do with it.

2. Purpose Limitation

Here, the GDPR mandates that organisations should only collect personal data for a particular stated purpose and only collect personal data necessary to fulfil that purpose. There is more leeway for purposes in the name of the public interest or for scientific, historical or statistical purposes.

3. Data Minimisation

An organisation that collects personal data should only process this information in a way that fulfils its processing purposes. This is beneficial for both users and organisations because:

  • In the case of a data breach, there will only be a limited amount of personal data available.
  • Minimising the amount of personal data collected will make it easier to keep this data accurate and up to date.

4. Accuracy

According to the GDPR, ‘every reasonable step must be taken’ to erase or rectify personal data that is inaccurate or incomplete within 30 days of the individual’s request.

5. Storage Limitation

When the organisation stops having a need for the personal data, the GDPR mandates that it must be deleted.

6. Integrity and Confidentiality

In this requirement, the GDPR mandates that personal data must be ‘processed in a manner that ensures appropriate security of personal data’. While there aren’t specific measures specified in the GDPR (due to the fast-changing nature of technology), it simply requires all measures to be taken to ensure this.

7. Accountability

This is referred to as the ‘accountability principle’, which means exactly that. It commands accountability by requiring the controller to be responsible for and be able to demonstrate compliance.

GDPR vs Australian Privacy Principles: Where Do They Differ?

There are many similarities between the requirements outlined in the GDPR and in the Australian Privacy Act 1988. They both include general concepts like being able to demonstrate compliance with privacy principles whilst adopting transparent information handling practices.

Below are just some of the situations where the GDPR differs from the Privacy Act.

Processors and Controllers

The Australian Privacy Principles do not have the notion of ‘processors’ and ‘controllers’. Having defined roles ensures accountability. Controllers also have obligations to be more transparent in their communication with individuals than what is required by the Privacy Act.


While in Australia consent can be implied, the GDPR mandates that consent must be made explicit by a ‘statement or by clear affirmative action’. Both systems allow consent to be withdrawn at any time.


There are certains rights in the GDPR that aren’t explicitly stated in the Privacy Act. This includes the right to erase personal data, the right to be forgotten and the right to data portability.


Compliance with the GDPR extends to more than just a privacy policy. In some cases, you may need to appoint a ‘representative’ established in the EU. If an EU citizen or data protection supervisory authority has any questions regarding the protection of data you’re collecting, then this is where a representative comes in. They will act as the main point of contact for any questions and concerns raised. 

Data Breaches

There is a more onerous requirement to report data breaches under the GDPR, and you also have a shorter time frame in which to do this.

Size of Business

As mentioned before, the Privacy Act does not cover small business (ones with an annual turnover of $3 million or less – subject to some exceptions). In contrast, the GDPR applies to all organisations, regardless of size and industry.

Penalties For Non-Compliance

The GDPR has two tiers of penalties for non-compliance. 

1.    Up to €10 million, or 2% annual global turnover – whichever is higher. This is in the case of an infringement of the organisation’s obligations (which include data security breaches).

2.    Up to €20 million, or 4% annual global turnover – whichever is higher. This is where there is an infringement of an individual’s privacy rights.

Brexit: What Does It Mean For GDPR? 

The UK was one of the principal architects of the GDPR. But now that Brexit is well and truly underway, will you still have to comply with the GDPR if you have customers primarily in the UK?

Initially, there will be a transition period (which will run through till 31 December 2020) where EU rules surrounding the GDPR will continue to apply to the UK.

After this time, although the GDPR will cease to automatically apply to business in the UK after the end of the transition period, it is unlikely that much is to change for Australian businesses with UK customers.

Many of the GDPR articles are being planned to be translated into UK law as a ‘UK GDPR’, which will mean that compliance will largely stay the same. This means the extraterritorial scope and representative requirements will largely stay the same (but you’ll require a UK Representative rather than an EU Representative).

And, of course, the UK GDPR will be altered in scope to cover the personal data protection of UK individuals only.

All in all, for Aussie businesses, the same level of compliance will most likely be necessary if you conduct business in the UK.

Key Takeaways

GDPR compliance extends beyond just having a GDPR compliant privacy policy or a cookie policy. It can be hard to know what you have to do to be compliant as there is a very high onus on businesses to protect individual personal data.

Whether you’re looking for a GDPR compliant privacy policy or specific ways to make your business compliant with GDPR — we can help! Send us an email at or give us a call at 1800 730 617.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
Who Does The Fair Work Act Apply To?