Overview — What is the GDPR and when does it apply to Australian organisations?

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into force on 25 May 2018.

The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. While the GDPR is EU law, it has unprecedented extra-territorial reach. If the GDPR applies to your organisation, you may need to make a number of significant changes in order to ensure compliance.

Broadly speaking, if your organisation has an “establishment” in the EU or:

• • offers goods or services to; or
• • monitors the online behaviour of people in the EU,
• then it may be subject to the GDPR.

In this subtopic you will learn:

• • what is the GDPR and why it is important;
• • when the GDPR might apply to an Australian organisation;
• • what is meant by offering goods or services to people in the EU;
• • what is meant by monitoring people in the EU; and
• • what questions to ask your organisation so you are able to make an assessment as to whether the GDPR applies to your organisation.

While an organisation’s operations might not currently be caught by the GDPR, this may change in the future. It would be prudent to put in place policies and procedures to monitor an organisation’s international strategy which may change or evolve to focus on attracting clients or customers from the EU. See GDPR Applicability Assessment Questionnaire in guidance notes When might the GDPR apply to an Australian organisation?, What is offering goods or services to individuals in the EU and What is monitoring the behaviour of individuals in the EU?