GDPR Compliance Steps For Australian Businesses

byAlex Solo28 January 202611 min read

Software & IT Regulatory Compliance Data & Privacy

Contents

What Is The General Data Protection Regulation (GDPR) And Why Does It Matter In Australia?
- What Counts As “Personal Data” Under GDPR?
- How GDPR Interacts With Australian Privacy Law
Does GDPR Apply To Your Australian Business?
- Common Scenarios Where GDPR Can Apply
- Signs GDPR Probably Doesn’t Apply (But You Still Need Good Privacy Practices)
What Are The Key GDPR Obligations Small Businesses Should Understand?
Step-By-Step: What Australian Small Businesses Should Do To Get GDPR-Ready
Common GDPR Traps For Small Businesses (And How To Avoid Them)
Key Takeaways

Even if your business is based in Australia, the General Data Protection Regulation (GDPR) can still apply to you.

This catches a lot of small business owners off guard. You might assume GDPR is “an EU thing”, and that the Australian Privacy Act is the only privacy law you need to think about.

But if you sell to customers in Europe, run online ads that target people in the EU, or track visitors on your website from the EU, the GDPR can become part of your legal compliance picture.

The good news is you don’t need to panic or over-complicate it. If you break GDPR down into practical steps, it becomes a manageable project - and in the process, you’ll likely improve your overall data handling and reduce business risk.

The General Data Protection Regulation (GDPR) is a privacy law that applies across the European Union (EU) and European Economic Area (EEA). It sets rules for how personal data is collected, used, stored and shared.

It matters in Australia because GDPR can have extraterritorial reach. In plain English: it can apply outside the EU, including to Australian small businesses, if you have certain connections to individuals in the EU.

GDPR uses a broad definition of personal data. It’s generally any information that can identify a person, either directly or indirectly, such as:

names, emails and phone numbers
location data (including approximate location)
IP addresses and device identifiers
customer IDs, account logins and payment identifiers
health information or other sensitive information (treated as higher risk)

If your business runs a website, collects enquiries, sells online, builds a mailing list, or uses analytics/advertising tools, you’re probably collecting some form of personal data.

Australia has its own privacy framework, mainly under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Many small businesses are exempt under the Privacy Act (for example, some businesses under $3M turnover), but that doesn’t automatically exempt you from GDPR.

GDPR is separate. If it applies to your business, you need to meet its requirements regardless of whether you’re technically an “APP entity” under Australian law.

That said, if you build privacy compliance properly, a lot of the fundamentals overlap: transparency, security, minimisation, and having clear documents in place (like a Privacy Policy).

GDPR may apply if you:

offer goods or services to individuals in the EU/EEA (even if you don’t charge money), or
monitor the behaviour of individuals in the EU/EEA (for example, tracking online behaviour for analytics or targeted advertising).

It’s not just about where your business is located - it’s about where the individual is located when you collect or process their data.

You sell online internationally and accept EU shipping addresses or EU currencies.
You run ads targeting EU customers (for example, campaigns aimed at France or Germany).
Your website tracks EU visitors using cookies, pixels, analytics tools, or remarketing (noting cookie consent requirements often also involve the EU ePrivacy rules in addition to GDPR).
You provide SaaS or digital services that EU users sign up to, even if your team is fully Australia-based.

GDPR is less likely to apply if your business clearly does not target the EU and does not monitor EU individuals (for example, your services are local-only and you don’t knowingly take EU customers).

But even then, privacy compliance is still a commercial and risk issue. Customers expect responsible data handling, and a privacy incident can quickly become a reputational problem (and an operational one).

GDPR compliance can get technical, but most small business owners can make strong progress by focusing on a few core principles.

1. Have A Clear “Lawful Basis” For Processing Data

Under GDPR, you can’t collect and use personal data just because it’s useful. You need a lawful basis, such as:

Consent (the person actively agrees)
Contract (you need the data to deliver the product/service)
Legal obligation (you must process data to comply with law)
Legitimate interests (your business has a genuine reason that isn’t overridden by the individual’s privacy rights)

For many small businesses, “contract” and “legitimate interests” are commonly relied on. Consent is important too, but it’s often misunderstood - GDPR consent is a higher standard than simply having a pre-ticked checkbox.

2. Be Transparent (Privacy Notices That Actually Match Your Practices)

GDPR expects you to tell people, clearly and up front, things like:

what personal data you collect
why you collect it (and your lawful basis)
who you share it with (including service providers)
how long you keep it
how people can exercise their rights

This is where a tailored Privacy Collection Notice and privacy documentation become important, especially if you collect data through multiple channels (website forms, email marketing, customer accounts, booking tools, etc.).

3. Respect Individual Rights

GDPR provides a set of rights to individuals (often called “data subjects”), including:

Right of access (they can ask what data you hold)
Right to rectification (fix incorrect data)
Right to erasure (in some cases, delete data - often called the “right to be forgotten”)
Right to restrict processing (pause certain uses)
Right to data portability (provide data in a usable format, where applicable)
Right to object (especially to direct marketing)

For a small business, the practical challenge is usually operational: having a simple internal process so your team can recognise a request and respond within the required timeframes (often within one month, subject to extensions in limited circumstances).

4. Data Security And Breach Response

GDPR requires “appropriate technical and organisational measures” to keep personal data secure. What’s “appropriate” depends on your business, but small business essentials often include:

strong passwords and multi-factor authentication (MFA)
access controls (staff only access what they need)
secure storage and backups
vendor due diligence (knowing what your software providers do with data)
a plan for data incidents (who does what, and when)

If a personal data breach happens, GDPR may require notification to a regulator (a supervisory authority) within 72 hours of becoming aware of the breach, unless it’s unlikely to result in a risk to individuals. If the breach is likely to result in a high risk to individuals, you may also need to notify affected individuals without undue delay. That’s why having a response plan matters before anything goes wrong.

5. Contracts With Suppliers (Especially If They Process Data For You)

If you use third parties to process personal data (like cloud platforms, email tools, CRMs, booking systems, outsourced support, marketing agencies), GDPR often requires you to have specific contract clauses in place with them.

These are commonly handled through a Data Processing Agreement (or data processing clauses in your main services agreement).

This is one of the areas where small businesses can accidentally fall short, because it’s easy to assume your vendor “handles compliance”. In practice, GDPR expects you to actively manage your vendor relationships.

6. International Data Transfers (Often Relevant For Australian Businesses)

If GDPR applies to your business, you also need to think about international data transfers. This can come up where personal data of EU/EEA individuals is accessed or stored outside the EU/EEA (for example, in Australia or the US) or where you use overseas SaaS providers.

Depending on the circumstances, GDPR may require you to implement an approved transfer mechanism (such as Standard Contractual Clauses) and take a risk-based approach to additional safeguards where needed.

7. EU Representative (Article 27) - Sometimes Required

Some non-EU businesses caught by GDPR also need to appoint an EU representative under Article 27. This is commonly relevant where you regularly offer goods/services to people in the EU/EEA or monitor their behaviour, and you don’t have an EU establishment.

There are exceptions (including some limited, low-risk situations), but if you have ongoing EU customers or active EU targeting, it’s worth getting advice on whether an EU representative is required for your business.

If you’re wondering where to start, these steps are a practical way to approach GDPR without turning it into a never-ending project.

Start with a simple risk check:

Do you have EU customers or users?
Do you market to EU regions or use EU languages/currencies?
Do you track EU website visitors for analytics/ads (and if so, do ePrivacy-style cookie consent requirements apply)?
Do you store or process EU customer data in your systems?

If the answer is “yes” to any of these, GDPR compliance is worth taking seriously (even if you’re not sure how strong the connection is).

Step 2: Map Your Data (So You Know What You’re Responsible For)

Many privacy issues come down to one thing: you can’t protect what you can’t see.

Create a simple data map that lists:

what personal data you collect (customer details, employee data, marketing leads, website analytics)
where it comes from (forms, checkout, email, third parties)
where it is stored (platforms, shared drives, inboxes)
who you share it with (vendors and contractors)
how long you keep it (and why)

This step will usually reveal quick wins, like turning off unnecessary data collection or tightening access to sensitive information.

Step 3: Update Your Website Privacy Compliance

For many small businesses, your website is the main “front door” for personal data.

Make sure you have:

a clearly written Privacy Policy that reflects what you actually do
appropriate cookie disclosures and, where needed, consent tools supported by a Cookie Policy (noting that cookie consent rules can be driven by the EU ePrivacy regime as well as GDPR, depending on what cookies/tracking you use)
clear website rules and acceptable use expectations in your Website Terms and Conditions

Also check your forms. If you collect enquiries, sign-ups, or bookings, think about what you really need to ask for - and make sure your privacy messaging is visible at the point of collection.

Step 4: Clean Up Your Marketing Practices

GDPR has strict expectations around marketing, especially email marketing and behavioural advertising.

Practically, you should:

avoid pre-ticked consent boxes
keep evidence of consent where you rely on it
make unsubscribing easy and actually honour opt-outs
be careful with purchased lists (these are often high-risk)

In Australia, you also need to think about the Spam Act and general marketing compliance, which is why it’s worth aligning your approach with Email marketing laws as part of the same compliance project.

Step 5: Put The Right Contracts In Place With Your Team And Suppliers

GDPR compliance isn’t only a website issue - it’s an operational issue.

Depending on how your business runs, you may need to review and update:

contracts with vendors who process personal data (often supported by a Data Processing Agreement)
contractor arrangements, especially where contractors access customer databases
internal policies around access control, security, and incident reporting

This is also where having a clear process for handling access/deletion requests becomes important, so requests aren’t missed in someone’s inbox.

You don’t need a huge legal team to handle GDPR rights requests - but you do need a repeatable process.

A workable small business workflow usually includes:

a dedicated email address or form for privacy requests
basic identity verification steps (so you don’t disclose data to the wrong person)
a checklist for what systems to search (CRM, email marketing, support desk, order system)
template responses your team can use
a tracking log so nothing slips through

Step 7: Get Targeted Legal Help Where Needed

Some GDPR issues get complex quickly - especially international data transfers, vendor contracting, EU representative requirements, and consent requirements for online tracking (which can also be affected by ePrivacy rules).

If you want a structured approach, a dedicated GDPR package can help you identify gaps and implement the right documents and processes without guessing.

In practice, we often see the same issues come up for Australian small businesses that are growing online.

Assuming “Small Business” Means “Exempt”

Even if you’re small, GDPR can still apply based on your customers and activity - not just your revenue or headcount.

If you are actively selling to EU customers, it’s safer to assume GDPR is relevant and take reasonable compliance steps.

Copying A Template That Doesn’t Match What You Actually Do

A privacy policy that doesn’t reflect your real practices can create risk, because GDPR is heavily focused on transparency and accuracy.

This is why it’s important that your Privacy Policy and related notices match your actual data flows, systems, and marketing practices.

Forgetting About Contractors And Agencies

Many small businesses outsource parts of marketing, customer support, admin, or development.

If those people can access personal data, you need to manage that access properly and document the relationship. GDPR expects you to know who has your customers’ data and why.

Not Thinking About Cookies And Tracking Tools

If your website uses analytics and advertising tools, it’s easy to “set and forget” the setup.

But GDPR places special scrutiny on tracking and profiling, and cookie consent can also be driven by EU ePrivacy rules depending on how your site uses cookies and similar technologies. A clear Cookie Policy and a consent approach that fits your audience can reduce risk and avoid customer complaints.

Key Takeaways

The GDPR can apply to Australian small businesses if you offer goods/services to people in the EU/EEA or monitor their behaviour online.
GDPR personal data is broad and can include everyday business data like emails, IP addresses, customer IDs and online tracking identifiers.
Practical GDPR compliance starts with knowing whether it applies to you, mapping your data, and being transparent with customers through privacy documents.
Strong contracts with suppliers and service providers matter, especially when third parties process personal data on your behalf.
Website compliance (privacy policy, cookie disclosures, and marketing settings) is often the quickest place for small businesses to reduce GDPR risk - but cookies/tracking may also involve EU ePrivacy consent requirements.
Putting a simple workflow in place for GDPR requests and breach response helps your team handle issues quickly and consistently (including the 72-hour regulator notification rule where it applies).
If GDPR applies, consider whether you need an EU representative and whether your cross-border data flows require an approved international transfer mechanism.

If you’d like help getting your business GDPR-ready, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call