The cross-border transfer of personal data is a complex and evolving area

In Europe, the commencement in May 2018 of the General Data Protection Regulation (GDPR) ushered in a new era of control and transparency for the greater benefit of data subjects but with that comes a regulatory and compliance impost on the collectors of personal data.

In Australia, the introduction in February 2018 of the Notifiable Data Breach scheme has some important ramifications for offshoring and outsourcing.

In this group of topics, therefore, we highlight key issues in the current regulatory landscape affecting cross-border transfers of personal data, starting with a consideration of what is meant by the term “personal data”.

As a general guide, personal data in Australia may

View all Cross-border transfers of personal data guidance

Businesses operating in Asia, or who engage service providers with operations in Asia, need to be across the potential regulatory impacts in force in other jurisdictions that could apply. This subtopic takes a closer look at Indonesia, China, Malaysia and Singapore each of which have or are in the process of introducing new, cybersecurity-specific legislation.

The Asia-Pacific region is incredibly diverse and this diversity is reflected in the levels of cyber sophistication to be found throughout the region. The region has some of the most cyber-sophisticated countries according to the Global Cybersecurity Index 2017 (GCI) — Singapore, for example, was ranked number 1 out of 193 countries. The GCI measures regulatory commitment to cybersecurity and is produced by the United Nations

View all Data requirements in Asia guidance

The opportunities presented by cloud computing make this technology one of the most important IT developments in recent years, with both the private and public spheres increasing their uptake of cloud services. Workplace environment transformations, increased collaboration, shared or remote workspaces, and flexible work arrangements, have all encouraged the proliferation of cloud computing.

The Australian Signals Directorate (ASD), adopting the definition developed by the National Institute of Standards and Technology (NIST), defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

But with increased opportunity there is also corresponding

View all Data protection aspects of cloud computing guidance

Handing over personal data at work is an activity that most people accept is just a normal part of their job.

But for employers, and their lawyers, it is crucial to be aware of the rules regulating employee data, especially if employers are operating in more than one jurisdiction. As it will become apparent in this guidance note, different jurisdictions take very different approaches to regulating employee data which can cause confusion and may result in unnecessary penalties.

There are many questions that different data protection laws have attempted to answer worldwide. For example, when a jobseeker completes an online application, or hands over their CV, are they relinquishing ownership of that personal information? Do they need to provide consent if their

View all Transfers of employee data guidance


Understanding personal data

What is personal data?

Complying with transfer of personal data obligations under Australian law

Personal data obligations under Commonwealth statute

Identifying requirements for transferring personal data overseas

Scope | Transferring personal data overseas

Overview of data requirements in Asia

Data requirements in Asia | Businesses operating in Asia

Show all guidance


Checklist for Complying with both the Privacy Act and the GDPR

S. Sharma, S. Field and B. Tomlinson, Maddocks

Privacy - Checklist for Privacy policy

S. Sharma, Special Counsel, Maddocks

Data Breach Assessment Guideline

P. Fair and S. Lee, Baker McKenzie

Checklist for Ensuring data protection compliance

P. Fair and S. Lee, Baker McKenzie

Privacy - Internal privacy guidelines for staff

S. Sharma, Special Counsel, Maddocks

EU General Data Protection Regulation (GDPR) - Compliance checklist

S. Sharma, S. Field and B. Tomlinson, Maddocks

Checklist for computer and device use

P. Fair and S. Lee, Baker McKenzie

Checklist for Data breach response guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Checklist for direct marketing

S. Sharma and E. Lau, Maddocks

EU general data protection regulation (GDPR) - Checklist for controller versus processor

S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks

Threshold compliance checklist - GDPR and the Privacy Act

S. Sharma, S. Field and B. Tomlinson, Maddocks

Workflow Checklist: Content of notification

D. Kneller, Madgwicks Lawyers


Forms and Precedents