Does GDPR apply in Australia?

by | Aug 7, 2018 | WordPress

Image is of a laptop. There's an overlay on top of the laptop of yellow stars in a circle with a padlock in the middle. There's text on the padlock that reads "GDPR General Data Protection Regulation". It's the feature image for a blog post titled 'Does GDPR apply in Australia?'
Last updated on 28 June 2024.
Many businesses and organisations in Australia have a website. And most of those websites collects data about their website visitors. This includes information from people who:
  • complete a contact form
  • buy something from an online store
  • sign-up for a lead magnet
  • sign-up to a newsletter
But there’s also Google Analytics. This is a free platform that collects data from your website, providing useful insights for website owners.
Australian businesses with a website generally need a Privacy Policy if they collect any personal information from website visitors.
But does the GDPR apply to Australia? The short answer is: it can.
So, let’s take a look at:
  • what GDPR is
  • how it impacts Australian business owners, and
  • what steps you can take to ensure compliance

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. Introduced by the European Union (EU) in May 2018, the legislation aims to give EU citizens greater control over their personal data.
But GDPR protection extends beyond Europe’s borders. It can affect businesses worldwide – including those in Australia.

Is Australia a GDPR country?

While Australia isn’t directly subject to GDPR, many Australian businesses may still need to comply if they:
  • Have EU customers or website visitors
  • Offer goods or services to EU residents
  • Monitor the behaviour of individuals in the EU

Key GDPR principles

There are six privacy principles in the GDPR:

  1. Lawfulness, fairness, and transparency. You need to ensure your data collection policies don’t break the law. And that you’re aren’t hiding anything from your customers/clients. This is why having an easily accessible privacy policy is important. To remain transparent, make it clear in your privacy policy the type of data you collect and why you are collecting it.
  2. Purpose limitation. You should only collect personal data for a specific reason and clearly say what that reason is. Only collect that data for as long as necessary to complete the outlined purpose.
  3. Data minimisation. You must only process personal data to achieve your processing purposes. There are two reasons for this. Firstly, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Secondly, data minimisation makes it easier to keep it accurate and up to date.
  4. Accuracy. Accuracy of personal data is an essential part of data protection. The GDPR requires that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
  5. Storage limitation. You need to delete personal data when it’s no longer necessary. How long is that? As long as the individual is considered a customer or client. This will vary from business to business. Therefore, it may be appropriate for you to seek legal advice about this.
  6. Integrity and confidentiality. The GDPR requires personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Practical steps for GDPR compliance in Australia

If you have a subscriber list that includes EU subscribers, or you market your goods or services to EU citizens, then you’ll need to comply with the GDPR. Failure to do so may result in serious fines for breaching privacy.

  1. Have a privacy policy on your website. Ensure it’s easy to find on your website. I have it included in my footer.
  2. Ensure your privacy policy is GDPR compliant. Be mindful that having a privacy policy that complies with the Australian Privacy Policies (“APP”) is a great start, but the GDPR gives individuals even broader rights. Therefore, your privacy policy may require updating to cover the GDPR in addition to the APP.
  3. Store personal data in a readily available format. The GDPR provides individuals the right to: be informed, have access to their personal information, have their personal information corrected, data portability, to object to the processing of their personal information and automated decision and profiling.
  4. Remember that under the GDPR, consent must be explicit. Implied consent is not enough. Individuals may withdraw consent at any time.
  5. Check your subscriber or mailing list, if you have one. Contact any EU residents on your list and obtain their express consent to keep their information. If express consent is not forthcoming, you will need to delete their information.
  6. Update the contact form on your website to include a check box that reads something like “I have read your privacy policy and agree to you storing information on this form”. Do not have the box pre-checked. And have the words ‘privacy policy’ linked to your Privacy Policy page.
  7. Make it easy for individuals to unsubscribe from your marketing emails or have their information deleted. Platforms such as ActiveCampaign or MailerLite are good as they have an unsubscribe option in their emails.


Do not let the GDPR prevent you from having clients who are EU residents. See it as an opportunity to strengthen your data protection practices.

All you need to do is ensure that you’re GDPR compliant.

Need help with your GDPR or Privacy Policy wording?

If you need GDPR wording for your Privacy Policy, you can purchase the wording from Legal123. And if your website doesn’t have a Privacy Policy page, you can also purchase Privacy Policy wording too.

Note: This blog post isn’t intended to replace appropriate legal advice.


Image of Rachel Amies wearing glasses, white cat earrings, a dark blue top and a light jacket. She's leaning against a brick wall that's been painted colourfully in blue, red, orange and yellow.

Hi, I’m Rachel Amies

I’m a New Zealand-born, Sydney-based freelance digital marketing human. I’m an experienced SEO copywriter and WordPress website designer. And I’m ready to help you turn your website from ‘meh’ to ‘aMehzing’.

Let’s get social


Recent Posts

What comes first: website copy or web design?
What comes first: website copy or web design?

I've recently rebranded from Crazy Cat Copy to Crazy Digital Creative. And this meant my website got a major overhaul. Not only did I redesign my site, I also updated my SEO keyword research. And I rewrote most of it as well as adding some new content as well. I've...

Why do I need a website for my small business?
Why do I need a website for my small business?

This is a question that I see doing the rounds quite a bit. And you may be thinking "well, of course Rachel has plenty of reasons for having a website!" And yes, I say that every business needs a website. Why? Well, read on! Can't I simply promote my business using...

Crazy Cat VA’s 2019 in review
Crazy Cat VA’s 2019 in review

Well, I couldn't finish 2019 without writing a crazy cat blog - so here I am! The end of a year is a time for reflection for many people and this year, that definitely includes me. To be honest, I haven't had my ideal year but, having said that, I definitely have had...