GDPR and Australia, a time for review

By Alastair Phillips - June 29, 2018

Data privacy is high on the global agenda at present. New technologies and trends including big data, artificial intelligence and the internet of things (IoT), as well as recent international events, have increased pressure on organisations and policymakers across jurisdictions to take appropriate measures to protect consumers’ personal information.

Read: Contact Magazine Winter 2018

The General Data Protection Regulation (GDPR), which took effect on 25 May 2018, aims to address this critical area by providing clear guidance and protocols to organisations that collect, use and store the personal information of European Union nationals.

While directly governing the European Union, the new requirements have implications for businesses and operators in other countries, including Australia.

Broadly, the GDPR will impact Australian organisations with operations in the EU and those that provide goods and services within and to the EU, including online businesses and those monitoring the activity of individuals in the EU.

Fortunately, there are many similarities between the GDPR and Australia’s Privacy Act 1988, which will limit the extent of the impact on affected Australian businesses. However, while both policies follow a ‘privacy by design’ approach, the GDPR differs in several important ways for which there are presently no exact provisions under the Privacy Act. These are:

  • the right to be erased, allowing individuals to have information and content about them deleted and unsearchable;
  • the right to object to the processing of one’s own data, allowing individuals to prevent their information from being used for scientific or historic research, marketing and other purposes;
  • the right to data portability, allow individuals to access and / or authorise the transfer of their data from one organisation to another; and
  • the definition of consent, which must be voluntarily granted, represent a true choice and be bound to a specific purpose.

As a consumer, the new regulations mean greater protections and control of individuals’ personal information and how it’s used by organisations. For organisations, it is likely to change the way they manage the personal information relating to their customers.

Assessing the impact to your business

When assessing the impact to your business there are three key areas to consider.

  1. Impact assessment: Assess your organisation’s current data practices including collection methodology, storage, use and access, and how these factors fit within Privacy Act 1988 and GDPR frameworks.
  2. Policy and governance: Address risk areas identified in step one and remediate potential areas that may be non-compliant. Governance frameworks should apply to both digital and manual processes dealing with data collection and handling. This process should also include the development of an incident response plan to minimise the impact of a data breach on your customers and organisation.
  3. Training and awareness: It is critical to ensure your key stakeholders are aware of any changes that may affect them. Relevant personnel should undertake training in data collection and handling to ensure they are aware of the new requirements, as well as what to do in the event of a compliance breach. Likewise, clients should be informed of relevant changes to your organisation’s practices related to collection and storage of personal data, and should be considered in the incident response plan developed during step two.

Under GDPR, fines for contraventions are a maximum of €20 million or four percent of an organisation’s annual global turnover (whichever is greater), strongly incentivising the establishment of compliant practices.

While many data and customer management and communication platforms have built-in protocols to comply with requirements of both the Australian Privacy Act 1988 and the GDPR, it’s important businesses meet the required standards across their organisation.

Accordingly, the recent change in requirements makes it an opportune time to reassess the practices of your organisation in relation to the collection and management of customers’ personal information.

Contact our experts

Other articles


Top of Page


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Ben Brazier

Ben Brazier's picture


Managing Principal

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner LEADERSHIP | Client care is more important than ever as businesses & individuals navigate these challenging times.…