Breadcrumb

GDPR and Australian Businesses

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedSept 20213 min read

GDPR came into effect on 25 May 2018. Now, almost two years later, it’s imperative that Australian businesses understand their obligations regarding this landmark European Union regulation. Why? Because if your business hasn’t taken steps to overhaul your data protection processes, you may be facing significant penalties. Does GDPR affect Australia? If so, what do these data privacy laws mean for Australian businesses in practical terms? Learn more about the impact of GDPR in Australia, right here.

Let’s start off with the basics – what is GDPR? Put simply, GDPR is an EU regulation that is intended to improve privacy and data protection, ensuring that businesses handle and process data in the right way. It provides individuals with greater rights regarding their “personal data” and imposes greater restrictions and regulations on the way companies use that data. So, what is “personal data”? Although it’s a slightly complicated category, it’s essentially information that could be used to identify someone, whether that’s a name, an IP address, or information about religious/political views.

Given that GDPR is an EU law, it’s easy to assume that businesses don’t need to worry too much about GDPR compliance in Australia. In fact, GDPR doesn’t only apply to EU businesses, it applies to any business that processes the personal data of individuals in the European Union, wherever they are in the world. So, if you’re an Australian business with European customers, GDPR will apply to your business. Even if your business doesn’t directly collect the personal data of EU individuals, GDPR may still apply because of agreements that you have with suppliers or customers.

Think of it like this – if you deal with corporate customers from the EU, it’s likely that your contracting agreements feature specific terms that replicate GDPR regulations (as required by GDPR). Since your EU corporate customer is going to be at risk of repercussions due to non-compliance, they are likely to take steps – if they haven’t already – to ensure that your business, as well as any other service providers in your supply chain, are compliant. If your business can’t stay compliant, it could mean that your working relationship will come to an end.

As you can see, the impact of GDPR in Australian businesses could be significant. So, what does this mean for your business? There are several important regulations that you must ensure your business abides by to maintain GDPR compliance in Australia. These regulations range from the way you process personal data to mandatory reporting windows for data breaches. We’ve put together a checklist for businesses to ensure GDPR compliance in Australia:

Determine whether you process the personal data of individuals from the EU.
Find out whether you’re a “data controller” or a “data processor”.
Establish whether you have a lawful reason to process this personal data.
Work out whether any third parties have access to this data.
Review data privacy and security policies to make sure they’re in line with GDPR regulations.
Overhaul your policies and procedures to cover any gaps in GDPR compliance.
Test your incident response readiness (ability to comply with 72-hour breach notification window).
Check that your contracts with third parties contain GDPR-relevant language.
Designate and register a Data Protection Officer who can serve as a liaison in the EU.
Provide GDPR training to your staff.

GDPR does have extraterritorial reach and penalties can be levied against businesses that don’t comply. For serious infringements of the regulation, penalties can reach up to 4% of your company’s annual worldwide revenue from the previous year (or €20 million, whichever is higher). In addition, the EU requires all organizations based outside of it to appoint a representative to deal with all issues relating to data protection. If your company falls out of compliance, fines may be enforced through this representative.

Australia has its own regulations around the handling of personal information – the Privacy Act of 1988. Addenda was added via the Privacy Regulation 2013 and the Privacy Amendment (Notifiable Data Breaches) Act 2017. The Privacy Act provides a set of principles, known as the Australian Privacy Principles (APPs), that offer rules around data protection, transparency, and direct marketing.

Although the two sets of data protection regulations cover similar ground, when it comes to GDPR vs. Australia’s Privacy Act, there are a couple of key differences. Most importantly, the GDPR’s Privacy Policy requirements are more extensive than the Privacy Act, and while APPs only require "implied" or "express" consent to collect, share, or use your personal information, the GDPR requires “express” consent.

Rights over personal information are also more comprehensive with GDPR, which offers “the right to be forgotten”. It’s also worth remembering that, while both laws require companies to protect their customers’ personal information, the requirements for GDPR are more stringent. Put simply, it’s a mistake to assume you’re covered simply because your business is compliant with the Privacy Act.

Final word

GDPR and Australian businesses is a thorny topic, and many companies are still coming to grips with the demands of the legislation. It’s now time for businesses to step up to the plate. The EU has demonstrated its willingness to levy significant penalties – such as the £183m (AUD$329m) fine issued to British Airways – and if you’re not compliant, you could end up dealing with significant consequences. By ensuring that you know where all your data resides, you’re processing it in compliance with GDPR regulations, you’re controlling access to the data, and you’re shielding it against potential threats, you can make sure that you and your customers are protected.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

GDPR and Australian Businesses

What is GDPR?

Does GDPR affect Australia?

What does GDPR mean for Australian businesses?

What are the penalties for falling out of GDPR compliance in Australia?

GDPR vs. Australia’s Privacy Act

Final word

We can help

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.