GDPR vs Privacy Act: How Australian CRM Rules Differ from Europe

If you run a CRM in Australia, you have probably heard colleagues say something like "we're GDPR compliant, so we're fine." It is one of the most common and most dangerous assumptions in Australian data privacy. The General Data Protection Regulation (GDPR) and the Privacy Act 1988 share a family resemblance — both regulate the collection, use and protection of personal information — but they are different laws, with different scopes, different rights, different enforcement mechanisms, and different practical implications for how you configure and operate your CRM. Complying with one does not automatically satisfy the other, and the gaps between them are exactly where Australian businesses get caught.

This guide provides a practical, side-by-side comparison for CRM operators. If you sell to European customers, you may need to comply with both. If you only operate in Australia, the Privacy Act is your primary obligation — but understanding where it diverges from GDPR helps you anticipate the direction of Australian reform and avoid the trap of assuming a GDPR-configured CRM meets local requirements.

The foundational differences

Before diving into specifics, three structural differences shape everything else:

• Legal basis for processing. GDPR requires a specific legal basis for every processing activity — consent, contract, legitimate interest, legal obligation, vital interest, or public task. The Privacy Act does not use this framework. Instead, it relies on the "reasonably necessary" test for collection (APP 3) and purpose limitation for use (APP 6). The practical effect is that GDPR demands more granular documentation of why you process each category of data.
• Scope of "personal information." Both frameworks define personal information broadly, but GDPR explicitly covers pseudonymised data and has specific rules for "special categories" (health, biometric, genetic, racial, political, religious data). The Privacy Act covers "sensitive information" similarly but with a narrower definition. CRM fields that are routine under the Privacy Act may trigger heightened obligations under GDPR.
• Extraterritorial reach. GDPR applies to any organisation processing data of EU residents, regardless of where the organisation is based. The Privacy Act primarily applies to Australian businesses and their handling of personal information. An Australian company selling to European customers faces GDPR obligations that the Privacy Act alone does not create.

Rights of individuals: where the gaps bite

Both frameworks give individuals rights over their data, but GDPR's rights are broader and more prescriptive. For CRM operators, the differences that matter most are:

Right to erasure (right to be forgotten)

GDPR Article 17 gives individuals a clear right to have their personal data erased in defined circumstances. The Privacy Act has historically been weaker here — APP 11 requires destruction or de-identification of data no longer needed, but there has been no explicit individual right to demand deletion. The 2024–2025 reforms are strengthening this, moving Australia closer to GDPR's position. CRM systems that cannot comprehensively delete a contact and all associated records across modules and integrations will struggle under both frameworks.

Right to data portability

GDPR Article 20 gives individuals the right to receive their data in a structured, machine-readable format and to transmit it to another controller. The Privacy Act has no direct equivalent — APP 12 provides a right to access, but not necessarily in a portable, structured format. However, good CRM practice demands clean export capabilities regardless. See our guide on CRM data portability for the practical implications.

Right to object to automated decision-making

GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. The Privacy Act has been largely silent on automated decision-making, though the reforms are introducing transparency requirements around AI-driven decisions. For CRM systems using AI for lead scoring, customer segmentation, or automated outreach, GDPR imposes harder constraints.

Consent standards

GDPR requires consent to be freely given, specific, informed and unambiguous — with an affirmative act. Pre-ticked boxes and bundled consent are invalid. The Privacy Act's consent requirements are less prescriptive but still require genuine consent for sensitive information and direct marketing. The practical CRM implication: if you serve both markets, your consent mechanisms need to meet the higher GDPR standard.

Cross-border data transfers: fundamentally different approaches

This is where the two frameworks diverge most sharply, and where the choice of CRM platform has the greatest impact.

GDPR restricts transfers of personal data outside the EU/EEA unless the receiving country has an "adequacy decision" or appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules) are in place. Australia does not have an EU adequacy decision, which means transferring EU personal data to an Australian CRM requires SCCs or another approved mechanism.

The Privacy Act (APP 8) requires reasonable steps to ensure overseas recipients handle data consistently with the APPs, and holds the disclosing entity accountable. It does not use an adequacy framework — the obligation sits with the Australian business, not the receiving jurisdiction's legal framework.

The practical consequence for CRM selection: a US-headquartered CRM creates cross-border issues under both frameworks simultaneously. Your Australian data flows to US servers (APP 8 issue), and if you hold any EU customer data, it flows from the EU to a non-adequate country (GDPR Chapter V issue). An Australian-hosted CRM like Fulcrum CRM eliminates the APP 8 question entirely and simplifies the GDPR analysis by keeping data within a single, identifiable jurisdiction.

Breach notification: similar obligations, different timelines

Both frameworks require notification of data breaches, but the mechanics differ:

• GDPR: 72 hours to notify the supervisory authority, without undue delay. Notification to affected individuals is required where the breach is likely to result in a high risk to rights and freedoms.
• Privacy Act (NDB scheme): 30 days to assess whether a breach is notifiable, then notification "as soon as practicable" to the OAIC and affected individuals where serious harm is likely.

The GDPR timeline is significantly tighter. If your CRM holds data under both regimes, you need breach response procedures that can meet the 72-hour GDPR deadline — which effectively becomes your operational standard. A CRM with comprehensive audit logging and access controls makes breach scoping fast enough to meet either deadline.

What this means for your CRM configuration

If you operate only in Australia, the Privacy Act is your primary framework, but configuring for the higher GDPR standard where practical future-proofs your system against the ongoing Australian reforms. If you serve any EU customers, you need to meet both.

The configuration checklist that satisfies both frameworks:

• Granular consent tracking — record when consent was given, for what purpose, through which channel, and make withdrawal easy across all channels.
• Comprehensive data subject rights — the ability to access, export, correct and delete all data associated with an individual, across all modules.
• Minimised collection — only collect what is necessary, document the purpose for each field.
• Australian data residency — eliminates APP 8 cross-border issues and simplifies GDPR transfer mechanisms.
• Encryption at rest and in transit — a technical measure expected under both frameworks.
• Audit logging — required for GDPR accountability and essential for Privacy Act breach assessment.
• AI transparency — document what AI features do with personal data and ensure automated decisions can be explained and overridden.

Fulcrum CRM is built to support this dual-compliance posture. Australian data hosting satisfies the strictest interpretation of both APP 8 and GDPR transfer requirements. Built-in AI agents operate inside your data boundary rather than routing records through third-party offshore processors. And because all modules share a single contact database, exercising data subject rights — access, correction, deletion, portability — is a straightforward operation, not a multi-system archaeology project.

The direction of convergence

The Privacy Act reforms are clearly moving Australia closer to GDPR in several areas: stronger individual rights, tighter automated decision-making rules, and expanded scope. Businesses that configure their CRM for GDPR-level compliance today will find themselves ahead of the curve as Australian law catches up. Those that treat the current Privacy Act as a lighter standard and defer the harder configuration work will face a more painful adjustment later.

For a deeper dive into how the Privacy Act specifically applies to your CRM, see our guide on CRM and the Privacy Act in 2026. And for a side-by-side look at how Fulcrum CRM compares to the offshore incumbents on compliance, security and pricing, our comparison page lays it out transparently.