23 October 2018

Data breaches and the GDPR – the new frontier of privacy regulation in Australia

In Australia, as well as internationally, this year has brought significant developments in the area of privacy regulation that may affect your business. Two areas of privacy compliance in particular that Australian businesses need to understand and respond to are:

  • the Notifiable Data Breaches Scheme (NDB Scheme); and
  • the European Union’s General Data Protection Regulation (GDPR).

The Notifiable Data Breaches Scheme

The NDB Scheme which commenced in February this year sets out requirements for when and how an entity should respond to an eligible data breach (as reported in detail in our previous update).

The NDB Scheme introduced an obligation to notify the Australian Information Commissioner (Commissioner) and any individual whose personal information was involved in a data breach (for example, where personal information is lost or stolen due to hacking), in circumstances where it is likely that the data breach will result in serious harm to the individual. The Commissioner then has the power to determine whether any further steps are necessary.

Since the NBD Scheme commenced, 305 eligible data breaches have been reported to the Commissioner with malicious or criminal attacks causing the largest number (i.e. cyber theft or hacking), followed by human error.

The Commissioner identified that the risks of these types of data breaches can be reduced by ensuring employees responsible for handling personal information receive regular training.

As well as being mindful of notification obligations should a data breach arise, it is incumbent upon businesses to ensure they have adequate security measures in place to protect the personal information of key stakeholders, such as customers and employees.

Hall & Wilcox can assist you to prepare data breach response plans, review privacy and security governance arrangements and train your employees on your business’ obligations and general security obligations. We can also manage the process and advise on legal exposures should your business suffer a data breach.

The EU’s General Data Protection Regulation

On 25 May 2018, the GDPR commenced operation. In terms of privacy regulation, there is a widely held view that the EU has set the global high water mark, with the GDPR offering individuals in the EU an unprecedented level of privacy protection.

Australian businesses may need to comply with the GDPR if they:

  • have an establishment in the EU; or
  • do not have an establishment in the EU, but offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.

With European regulators having the power to impose huge fines on businesses found to be in contravention of the GDPR (up to 4% of annual worldwide turnover), this is an area of privacy regulation you need to be aware of. We can assist you to navigate the new frontier of privacy regulation where international privacy laws can significantly affect Australian businesses.


Alison has close to 18 years’ experience in a wide-ranging employment practice, advising private sector and public sector clients on all aspects of employment, industrial relations and human resources law, and work health and safety law...

More about Alison

Jessica practices in employment and workplace relations law and provides strategic advice to clients across a range of industries.

More about Jessica

Related Practices

You might be also interested in...

Thinking | Thu 03 2007

Corporate and Financial Services Reform Update March 2007

The first tranche of draft regulations was released for public consultation on 26 March 2007 as part of the Corporations and Financial Services Regulation Review process. Some key issues dealt with in the first round of draft regulations are set out below: Keeping Financial Services Guides and Product Disclosure Statements up to date Where there […]

Thinking | Mon 05 2007

Compensation Arrangements for Financial Services Providers

Yesterday the Parliamentary Secretary to the Treasurer (Chris Pearce), announced that regulations to complement section 912B of the Corporations Act 2001 (the Act) are expected to be made by 1 July 2007. The Act requires financial services licensees that provide financial services to retail clients to have in place appropriate compensation arrangements. The arrangements must either be approved […]