The EU General Data Protection Regulation (GDPR) is one of the world’s most influential privacy frameworks. While designed to protect the personal data of individuals in the European Union (EU), its reach extends far beyond Europe.
Australian organisations that offer goods or services to EU-based individuals or monitor their online behaviour are directly subject to the GDPR, regardless of where they are established.
For many Australian businesses (especially those operating in technology, e-commerce, education, or tourism) the GDPR is not optional. Failing to comply can result in significant penalties and reputational damage.
The GDPR applies to any business outside the EU that:
This means an Australian retailer selling online to EU customers, or a software company tracking EU users’ activity, is within scope.
The GDPR enhances data subject rights, such as the right to access, correct, delete, “be forgotten” or transfer personal data. Businesses must ensure they can respond efficiently to these requests.
Regulators can impose fines of up to €20 million or 4% of annual global turnover, whichever is higher.
Even for smaller Australian businesses, reputational harm and loss of EU partnerships can be more damaging than the fines themselves.
Australia’s Privacy Act is being reviewed, and several proposed reforms mirror the GDPR’s principles, such as stronger consent requirements and increased penalties. Understanding and applying GDPR compliance today helps Australian businesses future-proof their privacy programs.
Identify whether your business offers goods or services to EU customers or processes their data through digital channels. Even if you don’t have an EU office, GDPR may still apply.
Understand what personal data you collect, where it’s stored, and who accesses it. Keep data inventories and only collect information necessary for business purposes.
Policies must clearly state how EU personal data is collected, used, stored, and shared. They should meet GDPR transparency standards and be easily accessible.
Processing EU personal data requires a lawful basis, such as consent, performance of a contract, or legitimate interest.
Businesses must document and justify the basis for each processing activity.
Adopt technical and organisational measures to protect data, including encryption, access controls, and incident response plans.
GDPR requires notification of serious data breaches within 72 hours.
Non-EU organisations that regularly process EU data may need to appoint an EU representative.
Where large-scale monitoring or sensitive data processing occurs, a Privacy Officer (also called a ‘Data Protection Officer’) may be mandatory.
Personal data transferred from the EU to Australia must comply with GDPR rules.
As Australia is not currently deemed “adequate” for GDRP purposes - businesses must use approved transfer mechanisms, such as ‘Standard Contractual Clauses’.
Our Corporate and Commercial team advises clients on navigating privacy laws and aligning compliance frameworks with both the GDPR and Australian requirements. We help organisations design practical solutions, balancing legal risk with operational efficiency.
This article was written by Ariel Bastian, Senior Associate Corporate Commercial and Anna Kosterich, Restricted Practitioner Corporate Commercial.