Most businesses or organisations with a website collect personal data about their visitors. The way in which Australian businesses can collect personal data is about to dramatically change with the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) on 25 May 2018. This article acts as a guide for whether your business needs to comply with the GDPR.

What is the GDPR?

The GDPR aims to protect the personal data of individuals based in the EU. The main difference between the GDPR and the Australian Privacy Principles (APPs) is its application. The GDPR not only applies to businesses located within the EU, but also to all businesses (wherever they may be located) that collect personal data from individuals based in the EU. Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply.

Additionally, penalties for breaching the GDPR can attract substantial fines – up to 4% of a business’ annual global turnover or €20 million (whichever is greater). Therefore, it is important to ensure compliance.

Does the GDPR Apply to My Australian Website?

The GDPR will affect your website and collection of personal data, if your business:

  • is established in the EU;
  • offers goods or services to EU-based individuals (free or paid); or
  • monitors EU-based individuals’ behaviour.

If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, you should work out whether you offer goods or services to EU-based individuals. However, as most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.

For example, factors that indicate an intention to offer goods or services to EU-based individuals can include:

  • using a European language on your website;
  • using a European currency on your website; or
  • mentioning customers or users who are in the EU.

Ultimately, if you tailor your website, marketing or any other aspect of your website to attract and sell to individuals based in the EU, then your business must comply with the GDPR.

Compliance with the GDPR

To comply with the GDPR, you may need to tweak your IT systems, internal processes and legal documents. Accordingly, it is best practice to have a lawyer review your business documents and methods. To comply with the GDPR, you should:

  1. Update your privacy policy
    Having a privacy policy that is compliant with the APPs is a good start. However, as the GDPR provides individuals with additional rights, you may need to update your current privacy policy.
  2. Update your processes and systems on your website
    Ensure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you must have a lawful basis for processing the personal data. For example, obtaining consent for collecting personal data is one of the six lawful bases. To obtain consent, you can include a consent statement and a link to your privacy policy next to a ‘tick to accept’ box.

Key Takeaways

Your business must comply with the GDPR if you collect personal data and your business:

  • is established in the EU;
  • offers goods and services to EU based individuals; or
  • monitors the behaviour of individuals in the EU.

Ultimately, compliance depends on what personal data your business collect and how your business collects it. It also depends on whether your business intends on offering goods or services to EU-based individuals. If your business does need to comply, it is a good idea to update your privacy policy and business practices to ensure compliance and avoid facing significant fines. 

If you have any questions, are unsure whether the GDPR applies to your business or need assistance updating your privacy policy and business practices, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Johan Lundstedt

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy