Lawpath Blog
What Types of Businesses Are Subject to the GDPR?

What Types of Businesses Are Subject to the GDPR?

The General Data Protection Regulation (GDPR) harmonises data privacy laws in Europe. However, only specific types of businesses need to comply with it.

15th October 2019
Reading Time: 2 minutes

The GDPR reshaped the way data protection and privacy is handled across the European Union (EU) and European Economic Area. The regulation has been in force since May 2018.

GDPR and Australian Businesses

The initial perception may be that any business with headquarters in Australia would not be subject to the regulations of the GDPR. This is not strictly accurate. Any Australian business regardless of size will need to be compliant if they have any establishment within the EU. This includes entities which offer goods and services in the EU or otherwise deal with any personal data. Subsequently, all Australian companies with a presence in the EU should closely evaluate if they need to take steps to comply with the personal data practices of the GDPR. A good place to start regarding compliance with data privacy regulations is to ensure you have an up to date privacy policy (opens in a new tab)” href=”” target=”_blank”>privacy policy in place.


The nature of your business’ operations and not its size will determine whether you fall under the data protection regulation or not. When an organisations’ operating activities present a high risk to individuals’ rights and freedoms they will trigger more stringent rules. Conversely, not all SME’s will be subject to the GDPR obligations in their entirety.


For example, organisations don’t have to keep records of their processing activities when they have less than 250 employees. However, if processing personal data is a regular activity or the process poses a threat to individuals’ rights and freedoms, than the entity must keep records. This is also the case where the data is sensitive in nature.

Similarly, SME’s are only required to appoint a data protection officer if processing personal data is their main business and poses specific threats to the individuals’ freedoms. An example of this involves monitoring individuals or processing sensitive data such as criminal records. Where personal data is involved on a large scale, this becomes particularly true. The Office of the Australian Information Commissioner (OAIC) has more detailed information regarding the GDPR if you need more clarity.

Data concerning companies?

The GDPR exclusively applies to personal data regarding individuals. They don’t govern data concerning companies or other legal entities. However, where information relates to one person companies such as a sole trader the rules may still apply. This is an important distinction and will only occur if the personal data in question allows the identification of a natural person.

Conclusion of GDPR

Ultimately, the GDPR can apply to Australian businesses who deal with any personal data in the EU. Fundamentally, the more personal information an organisation deals with the more stringent the regulations will be. At the end of the day it’s important to ensure you understand your data privacy obligations. It is advisable to consult a business lawyer to avoid penalties for failing to be properly compliant with the GDPR.

Don’t know where to start?
Contact a Lawpath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.

Gopi Giri

Gopi is currently a graduate in the legal documents team at Lawpath. Gopi is interested in cyber law and future innovations in the legal industry.