Overview
The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into force on 25 May 2018.
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. While the GDPR is EU law, it has unprecedented extra-territorial reach. If the GDPR applies to your organisation, you may need to make a number of significant changes in order to ensure compliance.
Broadly speaking, if your organisation has an “establishment” in the EU or:
- offers goods or services to; or
- monitors the online behaviour of people in the EU,
then it may be subject to the GDPR.
In this subtopic you will learn:
- what is the GDPR and why it is important;
- when the GDPR might apply to an Australian organisation;
- what
View all What is the GDPR and when does it apply to Australian organisations? guidance
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. As set out in What is the GDPR and when does it apply to Australian organisations?, the GDPR applies to Australian organisations in certain circumstances.
If the GDPR applies to your organisation (or will sometime in the future due to a change in your international strategy), your organisation will need to have a clear strategy to comply with the GDPR.
This can be a daunting task for Australian organisations, because while some of the concepts and obligations under the GDPR are similar to our own Privacy Act, there are many significant differences (which are explored in greater detail in Complying with both the
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. As set out in What is the GDPR and when does it apply to Australian organisations?, the GDPR applies to Australian organisations in certain circumstances.
If the GDPR applies to your organisation, you will need to have a strategy in place to comply with key obligations under the GDPR (see Key compliance obligations under the GDPR).
A key compliance issue for Australian organisations is dealing with overseas transfers of personal data outside the EU.
Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EU.
Chapter V (notably Articles 44–47) of the GDPR governs the transfer of personal
Many Australian businesses may find themselves in the situation of having to comply with two privacy regimes — under our own Privacy Act 1988 (Cth) (Privacy Act) and under the GDPR.
This subtopic is designed to assist businesses caught by both regimes to understand how they compare, as a first step in the journey of putting the necessary compliance measures, policies and processes in place.
In this subtopic you will learn:
- preliminary questions to consider;
- comparing the Privacy Act and the GDPR;
- unique aspects of the GDPR; and
- practical issues to consider with complying with both the Privacy Act 1988 (Cth) and the GDPR with our practical comparison table.
As each organisation’s size, scale, resources, budget and operational requirements are different, it is beyond the scope of
View all Complying with both the Privacy Act and the GDPR guidance
Guidance
Checklists
Data security - Checklist for De-identification of personal information
A. Mitchell, Unisys
Checklist for Complying with both the Privacy Act and the GDPR
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy - Checklist for Privacy policy
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for Overall cybersecurity strategy
P. Fair and S. Lee, Baker McKenzie
Data security - Checklist for Data security audit plan
A. Mitchell, Unisys
Workflow Checklist: Exceptions to notification obligations
D. Kneller, Madgwicks Lawyers
Data Breach Assessment Guideline
P. Fair and S. Lee, Baker McKenzie
Checklist for Ensuring data protection compliance
P. Fair and S. Lee, Baker McKenzie
Privacy - Internal privacy guidelines for staff
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for remote working
LexisNexis Legal Writer Team
EU General Data Protection Regulation (GDPR) - Compliance checklist
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for computer and device use
P. Fair and S. Lee, Baker McKenzie
Checklist for Transfers of personal data outside the European Economic Area
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for Data breach response guideline
P. Fair and S. Lee, Baker McKenzie
Privacy - Checklist for direct marketing
S. Sharma and E. Lau, Maddocks
Workflow Checklist: Identifying when a data breach is notifiable
D. Kneller, Madgwicks Lawyers
Data security - Checklist for Disaster recovery planning
A. Mitchell, Unisys
Workflow Checklist: Assessing a suspected data breach
D. Kneller, Madgwicks Lawyers
Checklist for Staff training on data protection compliance
P. Fair and S. Lee, Baker McKenzie
EU general data protection regulation (GDPR) - Checklist for controller versus processor
S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks
Threshold compliance checklist - GDPR and the Privacy Act
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy by design - practical checklist
S. Sharma, Maddocks
Workflow Checklist: Content of notification
D. Kneller, Madgwicks Lawyers

Legislation
