To develop a strategy for cross jurisdictional privacy and data protection, it is necessary to build a functional understanding of the physical assets, information located and the activities taking place within each jurisdiction. It is also necessary have a functional understanding of the legal regime in each jurisdiction with particular attention to:

  • the regime protecting information and communications from unauthorized access or interception;
  • rules that prevent cross border transfers ("on soil requirements") and/or which impose requirements that apply before information can be sent or made accessible outside the jurisdiction;
  • the privacy regime and whether or not it could be used to protect information not collected from residents in the jurisdiction;
  • making sure that local privacy policies and the information handling practices are consistent with

    View all Global privacy and data protection strategy guidance

The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.

Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been

View all Australian data protection strategy guidance

The analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.

See Allocation of responsibility.

Policies and procedures buried on the intranet or forgotten at the bottom of the

View all Ensuring data protection compliance guidance


Developing a strategy for cross jurisdictional compliance

Your objectives in developing a strategy for cross jurisdictional compliance | Understanding the nature of cross border business operations

Analysing your data and data flows

What is data mapping? | Importance of data mapping | Global regulatory compliance

Anticipating issues and risks

Introduction | Protection measures | Risks to consider | Jurisdictional compliance

Selecting local experts and asking the right questions

Introduction | Step 1 - Engage a local expert | Step 2 - Ask the right questions | Step 3 - Other considerations

Show all guidance


Checklist for Complying with both the Privacy Act and the GDPR

S. Sharma, S. Field and B. Tomlinson, Maddocks

Privacy - Checklist for Privacy policy

S. Sharma, Special Counsel, Maddocks

Data Breach Assessment Guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Internal privacy guidelines for staff

S. Sharma, Special Counsel, Maddocks

Checklist for Ensuring data protection compliance

P. Fair and S. Lee, Baker McKenzie

EU General Data Protection Regulation (GDPR) - Compliance checklist

S. Sharma, S. Field and B. Tomlinson, Maddocks

Checklist for computer and device use

P. Fair and S. Lee, Baker McKenzie

Checklist for Data breach response guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Checklist for direct marketing

S. Sharma and E. Lau, Maddocks

EU general data protection regulation (GDPR) - Checklist for controller versus processor

S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks

Threshold compliance checklist - GDPR and the Privacy Act

S. Sharma, S. Field and B. Tomlinson, Maddocks

Workflow Checklist: Content of notification

D. Kneller, Madgwicks Lawyers


Forms and Precedents