Back to Blog
Compliance7 April 2026

GDPR for Australian Businesses: Do You Need to Care?

If you've got customers, staff, or suppliers in the EU, yes. Here's the plain-English version of what applies and what doesn't.

The General Data Protection Regulation (GDPR) is European law, but it applies to a lot of Australian businesses. If you've got customers, staff, or suppliers in the EU, here's the plain-English version of what applies — and what doesn't.

When GDPR applies to Australian businesses

Article 3 of the GDPR is the key provision. It extends GDPR to organisations outside the EU in two cases:

  • You offer goods or services to individuals in the EU (paid or free — doesn't matter)
  • You monitor the behaviour of individuals in the EU (analytics, tracking, targeting)

"Offering" means deliberately targeting EU users. An Australian website that happens to be accessible from Europe is not necessarily "offering" services there. But if you accept EU credit cards, ship to EU addresses, or translate content into European languages, you're in scope.

What GDPR requires

The key obligations that differ from the Australian Privacy Act:

  • Lawful basis. You need a specific legal justification for processing personal data — consent, contract, legitimate interest, etc. Australian law is more permissive.
  • Data subject rights. Individuals have extensive rights: access, correction, deletion ("right to be forgotten"), portability, objection. Australian rights are narrower.
  • Data Protection Officer. For certain types of processing, you must appoint a DPO. Australian law has no equivalent.
  • 72-hour breach notification. You have 72 hours to notify the supervisory authority, vs 30 days under the Australian NDB scheme.
  • Privacy Impact Assessments. Required for high-risk processing. Under Australian law, this is good practice but not mandatory.

The penalty exposure

GDPR penalties are material. Up to €20 million or 4% of global annual turnover, whichever is higher. Australian penalties under the Privacy Act have crept toward this territory but remain lower in practice.

Australian regulators don't enforce GDPR directly — that's for European supervisory authorities. But Australian organisations that do business in the EU have been fined, usually through coordination between regulators.

The practical implications

For most Australian businesses with incidental EU contact, practical compliance means:

  • Have a privacy policy that covers the GDPR information requirements
  • Implement a data subject rights request process
  • Have a data breach response plan with a 72-hour notification capability
  • Document your lawful basis for each category of processing
  • Audit your suppliers for GDPR compliance (including cloud providers)

The overlap with Australian law

The good news: if you're compliant with the Australian Privacy Act and you have strong document sharing controls, you're probably 80% of the way to GDPR compliance. The remaining 20% is mostly documentation and process, not new controls.

This is general information, not legal advice. For GDPR-specific compliance questions, speak to a lawyer who specialises in EU privacy law.