European Union General Data Protection Regulation (GDPR)


The European Union (EU) General Data Protection Regulation (the GDPR) contains new data protection requirements and Australian businesses may be caught by the European data protection laws if they “control” or “process” personal data of EU individuals. 
From 25 May 2018 Australian businesses of any size may need to comply if they:

  • operate businesses established in a member state of the EU
  • offer goods and or services to individuals in the EU
  • monitor the behaviour of individuals in the EU, where that behaviour takes place within the EU.

The GDPR and the Australian Privacy Act 1988 (Privacy Act) have common requirements, which are:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices.

The notable differences include certain rights of individuals such as the ‘right to be forgotten’ in the GDPR which there is currently no equivalent right under the Privacy Act. Also the GDPR gives authorities the power to impose administrative fines for contraventions, with fines for certain contraventions up to €20 million or 4% of annual worldwide turnover, whichever is greater.

The Office of the Australian Information Commissioner (OAIC) has recommended that businesses should confirm whether they are covered by the GDPR, and if so, take steps to implement any necessary changes to ensure compliance and or seek legal advice.

Stephen Crouch