Does GDPR apply to Australian businesses?

GDPR applies to Australian businesses if they offer goods or services to individuals in the EU, monitor the behaviour of individuals in the EU, or have an establishment in the EU. This means many Australian businesses with international customers or online services need to comply.

How does GDPR differ from Australian privacy law?

GDPR has broader scope, stronger individual rights (including the right to erasure), requires explicit consent more often, mandates Data Protection Officers for certain organisations, requires 72-hour breach notification, and has much higher maximum penalties. The Australian Privacy Act is being reformed to bring it closer to GDPR standards.

What are the penalties for GDPR non-compliance?

Maximum penalties are up to €20 million or 4% of the company's global annual turnover, whichever is higher. Lower-tier penalties of up to €10 million or 2% of turnover apply to less severe infringements. Supervisory authorities can also issue warnings, reprimands, and orders to cease processing.

Book Free Assessment Calculator

General Data Protection Regulation (GDPR)

General Data Protection Regulation

Also known as:EU data protection lawEuropean privacy regulation

The European Union regulation on data protection and privacy that applies to organisations worldwide if they process personal data of EU residents.

In-Depth Explanation

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law that came into effect in May 2018. While it is an EU regulation, its reach extends globally to any organisation that processes the personal data of individuals in the EU, making it relevant for Australian businesses with European customers or operations.

Key GDPR principles:

Lawfulness, fairness, and transparency: Processing must have a legal basis and be transparent
Purpose limitation: Data collected for specified, explicit purposes only
Data minimisation: Collect only what is necessary
Accuracy: Keep personal data accurate and up to date
Storage limitation: Retain data only as long as necessary
Integrity and confidentiality: Protect data with appropriate security measures
Accountability: Demonstrate compliance with all principles

Individual rights under GDPR:

Right to be informed
Right of access (Subject Access Requests)
Right to rectification
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling

Key obligations for businesses:

Appoint a Data Protection Officer (DPO) if required
Conduct Data Protection Impact Assessments (DPIAs)
Maintain records of processing activities
Implement privacy by design and by default
Report data breaches within 72 hours to the supervisory authority

Business Context

Australian businesses that serve EU customers, have EU employees, or process EU residents' data must comply with GDPR or face penalties of up to 4% of global annual turnover or €20 million.

How Clever Ops Uses This

Clever Ops helps Australian businesses that operate internationally implement GDPR-compliant data handling processes. We build consent management systems, data subject request workflows, breach notification procedures, and privacy impact assessment templates that meet both GDPR and Australian Privacy Act requirements.

Example Use Case

"An Australian SaaS company with European users implements automated data subject access request processing that retrieves, compiles, and securely delivers all personal data within the 30-day GDPR timeframe."