GDPR for Australian Businesses

May 22, 2018, MOQdigital Marketing

News, Cyber Security


The General Data Protection Regulation (GDPR) is trending worldwide and with good reason. This is because, under the new regulations, any company – including those based in Australia – who deal with data relating to citizens of European Union (EU) must comply with the GDPR or face potential penalties of up to $20millon or 4% of their annual turnover; whichever is higher.

The General Data Protection Regulation was created by the European Union in 2016 to replace the EU’s 1995 directives regarding data protection. The new regulations come into effect on  May 25, 2018 and require businesses to protect the data and privacy of EU citizens, with a focus on personal information. It is worth noting that the GDPR takes a broad view regarding what constitutes  personal information, and regulates the expiration of data held outside of the European Union.

The GDPR is comprehensive and includes information regarding:

  • Mandatory Data Breach notifications
  • Consent to use personal data
  • The right to access personal at along with data portability/ability to reuse
  • The right to be forgotten
  • Appointment of Data Protection Officer (DPO) roles
  • Penalties for non-compliance

The GDPR comes with extended jurisdictions - changes the global data landscape by applying to all companies processing the personal data of any subject residing in the European Union – regardless of where the company is located. Companies do not need to have a physical presence in the EU to be affected; they just need to be dealing with data relating to EU citizens. What this means is that many companies around the world will be affected by the GDPR – and that all businesses, Australian included, should be examining how the new regulation affects them.  

Companies that the GDPR applies to are expected to expand their accountability and governance requirements and demonstrate that they comply with ‘Principles relating to the processing of personal data’ and ensure that they have appropriate data protection policies in place. This includes appropriate processing activities, as well as technical and organisational measures relating to their data protection strategies. The Office of the Australian Information Commissioner (OAIC) has published guidance about the GDPR for Australian businesses which can be read here.

Here at MOQdigital, we understand that new compliance regulations can seem complicated. We recommend that clients first understand whether or not the GDPR, or any new compliance legislation, applies to them. From here, businesses can learn what they need to do to become and remain compliant, what to do if EU Privacy Laws are breached, and how to reach out to the OAIC to take appropriate action.

We believe that for businesses whose operations are within Australia (no EU offices), the best way to approach compliance with the GDPR is to be compliant with Australian Privacy Laws – including the new Notifiable Data Breach regulations (NDB) - which bear a striking resemblance to the GDPR Mandatory Data Breach Notification requirements.  For Australian Businesses with a presence in the EU the first step is ensuring full compliance with Australian Privacy Law, then address any compliance gaps with the GDPR including assigning a Data Protection Officer.

Both Australian Privacy Law and the GDPR share a focus on fostering transparency regarding information handling practices and business accountability, and both require the implementation of measures to ensure compliance with determined privacy principles. Both laws are also technology neutral, which ensures the preservation of their relevance and applicability in a digitally advancing market. Because of the NDB, many Australian businesses will already have some of the measures in place to comply with GDPR laws. Furthermore, understanding these changes, and their associated requirements will help ensure that companies have policies and procedures in place to not only protect their data but also act appropriately in the event of a breach. 

If you have questions about the GDPR, the NDB, or just want to ensure that your company has sound compliance and governance strategies – don’t hesitate to get in touch. Our team of qualified consultants can help ensure that you and your business are on the right track.