Australian Guide to the European Union General Data Protection Regulation (the GDPR)

Date: May 31, 2018


What is the GDPR?

The European Union General Data Protection Regulation (GDPR) contains new data protection requirements that have applied from 25 May 2018.  It applies broad rights protecting individuals’ personal information across the EU


Who does it apply to?

The GDPR applies to businesses that are data processors and controllers with an establishment in the EU.  In general terms, a controller says how and why personal data is processed and a processor acts on behalf of the controller.  Where a business has an establishment in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.


What’s new?

Controllers must ensure and demonstrate through the implementation of appropriate technical and organisational measures, including data protection policies, that their processing activities are GDPR compliant.

The GDPR sets out expanded accountability and governance requirements and introduces a raft of changes cross a number of areas:



Penalties under GDPR are much higher than those prescribed by the Privacy Act 1988 (Cth).  Under the regulations, organisations may be subject to fines of up to 20 million euros or 4% of global revenues.


What does it mean for Australian business?

The GDPR is focused on activities in the EU, however as it is drafted very broadly, it is likely to impact organisations outside of the EU, including organisations in Australia. The following organisations will be captured by the regulations and required to comply.  Organisations that:

Australian businesses that would be covered by the GDPR include businesses:


Risk Management – how do you assess, monitor and treat the risk?

Australian businesses that are required to be GDPR compliant need to systematically review their personal information handling practices for the EU. Additionally, businesses would be required to;

Given the importance of consent with the GDPR, it is also necessary to revisit how consent is obtained from individuals in the EU and the type of information obtained.  There is also a focus on sensitive information under GDPR, so compliant organisations need to decide what information they require for their business to function.




Rosan Santangelo, Partner                                        Emily Gibson

T:  +61 (0) 2 9376 1144                                                  T +61 (0) 2 4044 4105

M: 0405 640 654                                                    


Download PDF here:   Australian Guide to the European Union General Data Protection Regulation (the GDPR)







« Back to Insights