Australia's evolving privacy regime


Recent significant changes in Australia’s privacy and data protection regime, bring our legislation more in line with international standards. As a result, many Australian agencies and organisations are now subject to new compliance obligations under the notifiable data breaches (NDB) scheme and increased scrutiny.

Navigating these obligations, as well as the additional implications of the upcoming European General Data Protection Regulation (GDPR), is a must for any organisation seeking to manage the ongoing and complex privacy and data security issues faced by businesses today.


Australia's NDB scheme the first six weeks

2018 Privacy changes at a glance

Is my organisation affected? 

You are affected by the NDB Scheme if your organisation

  • Must comply with the Australian Privacy Principles in the Privacy Act 1988
  • Is a credit provider or credit reporting body
  • Holds tax file numbers.

In addition, you are subject to GDPR if your Australian business

  • Has an establishment in the EU
  • Processes data of individuals in the EU in relation to offering goods and service
  • Profiles the behaviour of individuals in the EU such as online through websites/apps.

Is my organisation prepared?

Have a detailed privacy framework in place that includes a battle-tested data breach response plan, and ensure this is GDPR compliant where applicable.

You would benefit from an assessment of your current privacy framework if you are unsure of the answers to one or more of the questions below.

  1. How does my organisation document and store data about our consumers (including EU residents)?
  2. Have our supplier contracts been reviewed to reflect new privacy regulations?
  3. Who is in my organisation’s data breach response team and what are their respective roles? What is our first step in the event of a data breach?

Tips for building a privacy framework in your organisation

1. Know your data

Identify the ‘critical data assets’ you keep within your organisation, how they are stored and where they are located.

2. Have detailed procedures and policies

Ensure these include a complaints handling system and a data breach response plan that involves your C-Suite, IT, human resources, legal and public relations departments.

3. Provide regular training

Staff must receive regular training and updates to ensure they are aware of your organisation’s compliance obligations (including the new, more stringent requirements under GDPR).

Consequences of non-compliance

For organisations subject to the NDB Scheme:

  • Investigation by the Privacy Commissioner
  • Regulatory action
  • Penalties of up to A$2.1m (in serious cases)

For organisations subject to GDPR:

  • Regulatory action
  • Extraterritorial enforcement by the EU Data Protection Authority (DPA)
  • Fines of up to EUR 20m or 4% of annual global turnover (in extreme cases)

For government agencies subject to the AGAP Code:

  • Compliance subject to OAIC's usual regulatory action policy
  • OAIC will assist and educate on compliance in the first year with stronger enforcement after that

We offer a number of solutions tailored to your organisation's needs, including:


Comprehensive privacy advisory Navigation Show below Hide below

Front-end advice on enterprise-wide privacy compliance, including: managing sensitive information, marketing campaigns and branding activities, surveillance, handling investigations and complaints, review of privacy and credit reporting policies, collection notices, conducting Privacy Impact Assessments and audits, review of vendor contracts and privacy/data breach response clauses, and assessing application of the GDPR.

Protecting and enhancing your information assets Navigation Show below Hide below

Help your organisation develop or update its information management and risk framework to manage, protect and enhance data through its full life cycle, as well as in relation to specific projects and campaigns. Includes due diligence, M&A activities, big data analytics and technological developments, NDAs and breach of confidence, developing cyber resilience and data security health checks.

Data breach response planning Navigation Show below Hide below

Work with your organisation to develop a comprehensive data breach response plan (including cyber breaches), help allocate roles and responsibilities, and develop processes and checklists that will help you fulfil your obligations in the event of a data breach.

Data breach support and post breach training Navigation Show below Hide below

Help organisations in crisis respond to investigations, regulatory action, and data security breaches in a way that protects your business, minimises serious harm to customers, and mitigates financial and reputational damage. Post breach/investigation training and review to ensure your organisation addresses data security and privacy risks going forward.

Safetrac training modules Navigation Show below Hide below

Ensure your staff are privacy aware through our e-learning courses focusing on privacy, the NDB scheme, and GDPR. Some courses have been specially tailored to apply to Queensland and Victorian government departments.

Read Next