GDPR for Australian Businesses: Do You Need to Care?
If you've got customers, staff, or suppliers in the EU, yes. Here's the plain-English version of what applies and what doesn't.
The General Data Protection Regulation (GDPR) is European law, but it applies to a lot of Australian businesses. If you've got customers, staff, or suppliers in the EU, here's the plain-English version of what applies, and what doesn't.
When GDPR applies to Australian businesses
Article 3 of the GDPR is the key provision. It extends GDPR to organisations outside the EU in two cases:
- You offer goods or services to individuals in the EU (paid or free, doesn't matter)
- You monitor the behaviour of individuals in the EU (analytics, tracking, targeting)
"Offering" means deliberately targeting EU users. An Australian website that happens to be accessible from Europe is not necessarily "offering" services there. But if you accept EU credit cards, ship to EU addresses, or translate content into European languages, you're in scope.
What GDPR requires
The key obligations that differ from the Australian Privacy Act:
- Lawful basis. You need a specific legal justification for processing personal data, consent, contract, legitimate interest, etc. Australian law is more permissive.
- Data subject rights. Individuals have extensive rights: access, correction, deletion ("right to be forgotten"), portability, objection. Australian rights are narrower.
- Data Protection Officer. For certain types of processing, you must appoint a DPO. Australian law has no equivalent.
- 72-hour breach notification. You have 72 hours to notify the supervisory authority, vs 30 days under the Australian NDB scheme.
- Privacy Impact Assessments. Required for high-risk processing. Under Australian law, this is good practice but not mandatory.
The penalty exposure
GDPR penalties are material. Up to €20 million or 4% of global annual turnover, whichever is higher. Australian penalties under the Privacy Act have crept toward this territory but remain lower in practice.
Australian regulators don't enforce GDPR directly, that's for European supervisory authorities. But Australian organisations that do business in the EU have been fined, usually through coordination between regulators.
The practical implications
For most Australian businesses with incidental EU contact, practical compliance means:
- Have a privacy policy that covers the GDPR information requirements
- Implement a data subject rights request process
- Have a data breach response plan with a 72-hour notification capability
- Document your lawful basis for each category of processing
- Audit your suppliers for GDPR compliance (including cloud providers)
The overlap with Australian law
The good news: if you're compliant with the Australian Privacy Act and you have strong document sharing controls, you're probably 80% of the way to GDPR compliance. The remaining 20% is mostly documentation and process, not new controls.
Frequently asked questions
Does GDPR even apply to my Australian business? It can — if you offer goods or services to people in the EU, or monitor their behaviour, GDPR applies regardless of where your business sits. If I comply with the Australian Privacy Act, am I GDPR-compliant? You're most of the way there — strong access controls, breach response and APP compliance cover the bulk. The remainder is documentation: lawful basis for each processing activity, data-processing agreements with suppliers, and a process for data-subject-rights requests. Does keeping data in Australia help or hurt GDPR? GDPR cares about lawful transfer mechanisms, not Australian residency as such — but keeping data onshore with a clear processing record makes your transfer-impact documentation simpler, not harder.
This is general information, not legal advice. For GDPR-specific compliance questions, speak to a lawyer who specialises in EU privacy law.