GDPR compliance checklist for businesses in Australia

If your Australian business handles personal data from EU residents, meeting GDPR requirements is essential. From how data is managed to how breaches are reported, compliance ensures you stay on the right side of the law and maintain customer trust.

Here’s a handy checklist to help your business comply with GDPR in Australia:

Check whether GDPR applies to your business

Your business must comply with GDPR if it collects personal data and meets any of the following criteria:

• Operates within the European Union (EU), regardless of where its customers are based.
• Offers goods or services to individuals located in the EU.
• Tracks or analyses the behaviour of people within the EU.

If your business falls into any of these categories, GDPR compliance is essential.

Confirm whether your business is a data controller or a data processor

Your business’s responsibilities under GDPR will vary depending on whether you are a data controller or a data processor. Understanding your role is essential for meeting compliance requirements.

A data controller is any entity—be it an individual, organisation, public authority, or agency—that decides why and how personal data is collected and used.

For instance, if your business collects customer names and email addresses to send newsletters, you’re acting as a data controller. You determine the purpose (sending newsletters) and the means (collecting personal information).

A data processor, on the other hand, is an entity that handles personal data on behalf of a controller. This can include companies providing storage, data organisation, or communication services.

For example, major data processors include Salesforce, Klaviyo and Google Drive.

Importantly, processors don’t determine the purpose of the data they handle but instead act under the instructions of a controller.

Determine your legal duties

For Australian website owners, navigating the maze of legal obligations can be daunting. It starts with understanding the laws that apply to your business, crafting a checklist of requirements, and embedding key elements like privacy policies and terms of use into your website.

But compliance isn’t a one-and-done task—it’s an ongoing process that requires regular updates to reflect changing regulations.

Collaborating with legal professionals during the development phase can save you from future headaches, ensuring your website meets all necessary standards from day one.

Platforms like WordPress also simplify this journey by offering templates, plugins, and tools tailored for compliance. These resources make it easier to implement essential features while keeping your site user-friendly and secure.

By staying informed and leveraging these tools, you can confidently adapt to evolving legal landscapes and maintain a compliant, trustworthy online presence.

Let’s take a look at the responsibilities of data controllers versus data processors when it comes to complying with GDPR in Australia.

Data controllers

If your business is a data controller, GDPR sets out clear responsibilities to ensure personal data is handled securely and ethically. Essentially, you must:

• Only work with processors under a written agreement that includes:
  • Processing personal data solely based on the controller’s instructions.
  • Ensuring robust security measures to protect the data.
  • Imposing confidentiality obligations on anyone handling the data.
  • Complying with additional GDPR requirements to maintain lawful processing.
• Protect personal data “by design” and “by default.” This means making privacy a key part of how your systems and processes are set up and ensuring the highest level of privacy protection is always applied.

If you’re using new technologies to process personal data, and there’s a high risk to individuals’ rights and freedoms, you’ll need to carry out a Data Protection Impact Assessment (DPIA). This helps you identify and address potential risks to keep people’s data safe.

Data processors

Back in the day, data processors just had to follow contracts with data controllers, with no major legal obligations of their own. GDPR has changed this dynamic significantly:

• If you, as a processor, decide how and why data is used, you’ll be treated as a controller for that specific activity.
• You now have to keep clear records of any processing you do for controllers, including all the key details GDPR requires.
• If GDPR says a Data Protection Officer (DPO) is needed, processors need one too.

You’ll also need to revise your Data Processing Agreement (DPA) to comply with GDPR requirements when working with EU customers. Your agreement must include specific provisions, such as:

• Only handling data as per your customer’s instructions.
• Implementing robust security measures to safeguard data.
• Notifying your customers of a data breach as soon as possible.
• Helping with DPIAs and other compliance-related activities.

These new rules make it clear that processors play a big role in protecting personal data. Getting these basics right isn’t just about following the law—it’s about showing your customers they can count on you to keep their data safe.

Engage an EU representative

If your business is subject to GDPR because you offer goods or services to individuals in the EU or track the behaviour of EU residents, you’ll need to appoint an EU representative.

Having an EU representative ensures your business can effectively communicate with EU authorities and individuals regarding data protection matters, helping you stay compliant with GDPR.

Importantly, you’re not required to have a representative in every EU member state where you operate. Instead, appointing a single representative within the EU is sufficient to meet this requirement.

Lastly, you don’t need to appoint an EU representative if your business:

• Is a public authority; or
• Processes personal data only occasionally, and the data processing doesn’t involve sensitive information (like special category data or criminal records) or pose a risk to individuals’ rights and freedoms.

Review data collection and storage practices

If your business collects and processes personal data, it’s time to take a closer look at your practices. Conducting a detailed audit is a critical step toward GDPR compliance and gives you a clear picture of how data flows through your business.

Start by creating a spreadsheet that captures two key areas:

• Where you collect personal data (columns)
• How that data is handled and used (rows)

You might be gathering data from several sources without even realising it. Think about:

• Email marketing and lead capture forms
• Customer inquiries and phone calls
• E-commerce transactions and credit card payments
• Shipping and delivery details
• Account setups and registrations
• Contests, surveys, or giveaways
• Ads, cookies, and website analytics
• Troubleshooting and support requests
• Two-factor authentication processes
• Job applications

For every type of data you collect, consider:

• What’s collected? (e.g., names, email addresses, payment details)
• Why is it collected? (e.g., to process orders, send newsletters)
• Is it secure when collected? (e.g., HTTPS encryption)
• Is it necessary? (e.g., billing info for payments)
• Can users opt out? (Yes/No)
• Who has access? (e.g., customer service, marketing)
• Is it shared with others? (Yes/No and who)
• Is it stored safely? (e.g., encrypted databases)
• How long is it kept? (e.g., 12 months post-purchase)
• Can users manage their data? (e.g., update, export, delete)

Once you’ve completed this data audit, you’ll have a clear overview of all the personal information you collect, use, and share.

Take appropriate data protection measures

When it comes to personal data, it’s your responsibility to keep it secure and demonstrate that you’re following best practices. Here’s how to level up your data protection:

• Restrict access to only those who need it, and keep a detailed log of who accessed what and when.
• Use strong, unique passwords and update them regularly to keep accounts safe.
• Secure data transmission with protocols like HTTPS to protect information in transit.
• Encrypt sensitive data, such as passwords, to prevent unauthorised access.
• Ensure safe credit card transactions by following standards like PCI-DSS.
• Anonymise IP addresses in tools like Google Analytics to protect user identities.
• Declutter your databases by regularly deleting outdated or unused data.

If you rely on third-party providers—whether it’s cloud storage, software tools, or subcontractors—you’re accountable for their compliance too. Choose partners who can prove they meet GDPR requirements, ideally with a Certificate of Compliance. Don’t forget to update your Data Processing Agreements (DPAs) to include all necessary GDPR clauses.

Transferring personal data internationally?

GDPR only permits transfers to countries that offer “adequate” data protection. While the EU hasn’t deemed Australia “adequate,” you can stay compliant by using secure methods and ensuring your contracts include strict data protection safeguards, most commonly through what are known as Standard Contractual Clauses (SCCs).

Provide staff training and share a GDPR manual

Training your staff and providing them with a comprehensive privacy compliance manual are key steps toward effective GDPR compliance.

After all, your team will often be the first point of contact for individuals exercising their GDPR rights, such as accessing or deleting their data. Therefore, making sure everyone is well-informed about these rights and how to respond appropriately is crucial.

A clear and accessible manual about GDPR in Australia will serve as a valuable resource for employees, helping them navigate privacy regulations confidently and consistently.

Insist on using Confidentiality Agreements

Employees and subcontractors who handle or process personal data should also sign a Confidentiality Agreement.

This demonstrates your commitment to safeguarding personal data and ensures everyone understands the critical importance of maintaining privacy and security within your organisation.

Create a solid Security Breach Response Plan

Under GDPR, any security breach that exposes personal data must be reported to both the affected individuals and the relevant supervisory authority within 72 hours.

To stay compliant, you’ll also need to maintain a detailed register of all breaches, regardless of their severity. To do this, having a robust, documented plan in place is essential. Your plan should outline clear processes for identifying, reporting, managing, and resolving data breaches.

That way, your team can act quickly and effectively to minimise damage, maintain compliance, and protect the trust of your customers.

Update your Privacy Policy

If your business falls under the scope of GDPR, it’s time to revisit your privacy policy. While those already compliant with the Australian Privacy Act 1988 (Cth) may only need minor adjustments, every business must ensure its policy is crystal clear and GDPR-ready.

Your privacy policy should be straightforward and transparent, explaining what personal information you collect, why you collect it, and how it’s used.

Here are some key updates to consider:

• State that your data handling complies with GDPR requirements.
• Note that individuals aged 16 and over can consent to data processing, while younger users need parental or guardian approval.
• Highlight that EU residents have the right to:
  • Access their data.
  • Request data deletion (“right to be forgotten”).
  • Restrict how data is processed.
  • Transfer their data to another provider.

Your terms and conditions may also need an overhaul to reflect GDPR requirements. Aligning these with your updated privacy practices ensures everything works together seamlessly.

Let website visitors know that you use cookies

Cookies are the backbone of many online experiences—helping autofill forms, track user behaviour, deliver personalised ads, and support conversion tracking and remarketing campaigns.

You’ve likely seen the familiar pop-up: “This website uses cookies. Click to continue.”

But GDPR raises the bar. Now, it’s no longer enough to quietly use cookies; you need to tell visitors what’s going on.

You’re expected to inform users how to manage or opt out of cookie usage, typically through browser settings or a dedicated opt-out option. While opt-out tools aren’t yet universal, this could change as privacy expectations grow.

Many businesses are refreshing their cookie notifications with plain English explanations like:

“We use cookies to improve your experience, personalise content and ads, and analyse traffic. Some of this information is shared with our social media, advertising, and analytics partners. By continuing to browse, you consent to the use of cookies.”

Others go the extra mile by publishing dedicated Cookie Policies that detail:

• What types of cookies are in use
• What third-party services are involved
• Exactly what data the cookies track

You’ll also need to include a privacy notice every time you gather personal information, like with cookies.

Under GDPR, consent must be explicit and unmistakable. Unlike the implied consent accepted under the Privacy Act (e.g., filling out a form), GDPR demands a clear affirmative action, such as clicking an “I agree” checkbox.

Make sure your customers actively confirm that they:

• Consent to your collection of their data
• Have read and agree to your updated privacy policy

Give the opportunity to update, move and delete data

Under GDPR, your customers have the right to review, update, transfer, or delete any personal information your business holds about them—and it’s your job to make that as seamless as possible.

Consider providing a self-service option, like an online portal where users can easily access and manage their data. Alternatively, you can offer a request-based system where customers reach out via email to make changes.

Whatever approach you take, the key is simplicity. A hassle-free, responsive process not only ensures compliance but also builds trust by showing customers you take their data rights seriously. Make it easy for them to take control.