What will the new EU Privacy Laws mean for your business?

Share on twitter
Share on linkedin
Share on facebook


As of 25 May 2018, the European Union General Data Protection Regulation (GDPR) will implement a new extra-territorial data protection regime, which will impact Australian entities that handle personal data of EU residents.

Thankfully some of the provisions of the GDPR mirror those of the Australian Privacy Act 1988, which Australian entities are hopefully already familiar with. However, there are numerous substantive differences and unique requirements that go beyond the Australian position.

It is therefore important for organisations with operations in the EU to determine whether or not the GDPR applies to them and to ensure their personal data handling practices are brought into compliance before next year’s deadline.

Does my business need to comply with the new EU regulations?

You will need to comply with the GDPR requirements if your business or organisation:

1. has an ‘establishment’ within the EU (an effective and real exercise of activity through stable arrangements), whether or not personal information is actually processed in the EU;
2. is outside the EU but conducts data processing or controlling activities and offers goods or services to individuals within the European Union whether or not payment is required; or
3. is outside the EU but conducts data processing or controlling activities and monitors behaviours of individuals within the European Union, whether or not such behaviour occurs in the EU.
This will most likely encompass Australian entities that have EU clients, have local operations in the EU or otherwise hold personal information on EU residents.

What key changes will the GDPR implement?

• Data controllers will have weightier accountability and governance obligations.
• Personal data may only be processed with an individual’s consent which must be freely given, specific, informed and unambiguous.
• If a data breach occurs, relevant authorities and the individuals concerned must be notified without delay (if possible within 72 hours).
• Rights of individuals will be broadened to include the right of erasure, the right to data portability and the right to object to the processing of personal data.
• Entities who outsource their data processing to a third party will be required to document their relationship with the third party in a contract containing certain specific clauses.
• Transfer of personal data to countries outside the EU will be limited to those which the EU Commission approves as adequately safe.

What should I do next about GDPR?

Substantial sanctions for breaches of the regulations apply. Therefore organisations with operations or clients in the EU should analyse the extent to which they hold personal data of EU residents and determine whether they fall into the definition of ‘data controller’ or ‘data processor’ under the GDPR and determine the scope of their responsibilities under the GDPR. They should also seek professional advice on how to bring their data protection policies and practices into accord with both the Australian and EU requirements.

You may like to complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.

Check out our other articles on the topic of the Data Protection Officer (DPO) here.

Compliance Quarter are providing a range of innovative services to help our clients navigate GDPR – to enquire directly please click here.

More to explorer

Frozen planet Earth climate change concept

Getting Serious: The Peak Demand Reduction Scheme

The First PDR Initiatives:
– There will be incentives (rebates) for households to purchase and install energy efficient air conditioners (rebates for businesses ACs have been available for some time via other schemes);
– Businesses with EV fleets will be able to export power from their parked vehicles back in to the grid at peak times.

The two initiatives above were cited as examples in the press release on 28 September 2021. There is very little information available as to what other initiatives will be forthcoming.

When there is a lot of energy

Alinta Energy improves systems and waives more than $1 million in customer debt following an AER investigation.

On 8 October 2021, the Australian Energy Regulator (AER) announced that, in response to an investigation, Alinta Energy have substantially improved its systems and was waiving more than $1 million in energy debt owed by more than 400 of its customers.  The outcome arose as a result of an investigation carried out by the AER into alleged non-compliance with Alinta Energy’s obligations with respect to vulnerable customers and its hardship program. The AER was concerned that during the period September 2019

Leave a Reply

Your email address will not be published. Required fields are marked *