What will the new EU Privacy Laws mean for your business?

Share on twitter
Share on linkedin
Share on facebook


As of 25 May 2018, the European Union General Data Protection Regulation (GDPR) will implement a new extra-territorial data protection regime, which will impact Australian entities that handle personal data of EU residents.

Thankfully some of the provisions of the GDPR mirror those of the Australian Privacy Act 1988, which Australian entities are hopefully already familiar with. However, there are numerous substantive differences and unique requirements that go beyond the Australian position.

It is therefore important for organisations with operations in the EU to determine whether or not the GDPR applies to them and to ensure their personal data handling practices are brought into compliance before next year’s deadline.

Does my business need to comply with the new EU regulations?

You will need to comply with the GDPR requirements if your business or organisation:

1. has an ‘establishment’ within the EU (an effective and real exercise of activity through stable arrangements), whether or not personal information is actually processed in the EU;
2. is outside the EU but conducts data processing or controlling activities and offers goods or services to individuals within the European Union whether or not payment is required; or
3. is outside the EU but conducts data processing or controlling activities and monitors behaviours of individuals within the European Union, whether or not such behaviour occurs in the EU.
This will most likely encompass Australian entities that have EU clients, have local operations in the EU or otherwise hold personal information on EU residents.

What key changes will the GDPR implement?

• Data controllers will have weightier accountability and governance obligations.
• Personal data may only be processed with an individual’s consent which must be freely given, specific, informed and unambiguous.
• If a data breach occurs, relevant authorities and the individuals concerned must be notified without delay (if possible within 72 hours).
• Rights of individuals will be broadened to include the right of erasure, the right to data portability and the right to object to the processing of personal data.
• Entities who outsource their data processing to a third party will be required to document their relationship with the third party in a contract containing certain specific clauses.
• Transfer of personal data to countries outside the EU will be limited to those which the EU Commission approves as adequately safe.

What should I do next about GDPR?

Substantial sanctions for breaches of the regulations apply. Therefore organisations with operations or clients in the EU should analyse the extent to which they hold personal data of EU residents and determine whether they fall into the definition of ‘data controller’ or ‘data processor’ under the GDPR and determine the scope of their responsibilities under the GDPR. They should also seek professional advice on how to bring their data protection policies and practices into accord with both the Australian and EU requirements.

You may like to complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.

Check out our other articles on the topic of the Data Protection Officer (DPO) here.

Compliance Quarter are providing a range of innovative services to help our clients navigate GDPR – to enquire directly please click here.

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *