Changes to ASX Corporate Governance Principles - Draft Consultation Released

ASX Listing Rule 4.10.3 outlines the corporate governance statement requirements of every ASX listed entity. Any corporate governance statement submitted by a listed entity under that rule must disclose the extent to which the entity has followed the CGPRs and the recommendations of the Council during the reporting period.

Proposed Consultation Background

The CGPRs were first introduced in 2003 and seek to promote eight central governance principles. Surrounding those principles, there are specific recommendations and explanatory commentary to give effect to the principles.

In May 2017, the Council commenced work on the fourth edition of the CGPRs, addressing a number of issues including:

  • social licence to operate
  • corporate values and culture
  • whistleblower policies
  • anti-bribery and corruption policies
  • an apparent slowing in the rate of progress in achieving gender diversity at board level
  • increased guidance around carbon risk
  • cyber risks, and
  • other areas for improvement identified in a previous review by KPMG.

The Council's consultation draft of the CGPRs retains the same eight core principles as in the previous edition but significant changes have been made to Principle 3 to address emerging issues around corporate values and culture, and the social licence to operate. In some respects, the Council's proposed changes anticipate and respond to some of the governance issues already identified in recent inquiries, such as the Hayne Royal Commission into the financial services sector. The number of recommendations has been expanded from 29 in the third edition of the CGPRs to 38 in the fourth edition consultation draft.

The proposed changes in the consultation draft also come at an opportune time as other jurisdictions are also undertaking reviews of their corporate governance codes - the Hong Kong Exchange commenced consultation in November 2017; the UK Financial Reporting Council in December 2017 and the Singapore Exchange in January 2018.

Timeline for Implementation

Submissions to the consultation draft close on 27 June 2018.

The ASX expects that the final version of the CGPRs will be released in early 2019, with listed entities expected to measure their compliance against the fourth edition of the CGPRs for their first full financial year commencing on or after 1 July 2019.

New Recommendations 


Australian Businesses and the EU General Data Protection Regulation

The GDPR is a measure to harmonise data protection laws across the EU. It comes into force next week (25 May 2018) and the OAIC has recently released detailed guidance to assist Australian businesses in understanding the new requirements and how they interact with current obligations under the Privacy Act 1988 (Cth) (Privacy Act).

Application of the GDPR to Australian businesses

The GDPR applies to Australian businesses of any size if they process data and they:

  • have an establishment in the EU
  • offer goods and services in the EU, or
  • monitor the behaviour of individuals in the EU (irrespective of the individual's residence).

The GDPR obligations fall on two distinct types of businesses that process data:

  1. "controllers" (a business that determines how data will be processed), and
  2. "processors" (a business that processes the data on behalf of the controller).

Interaction with the Australian Privacy Act obligations

The GDPR and the Australian Privacy Act have many similar requirements. Both laws:

  • foster transparent information handling practices and business accountability
  • require businesses to implement measures that ensure compliance with a set of privacy principles - a privacy by design approach to compliance
  • require data breach notification
  • apply to personal information or data with special requirements for sensitive categories of personal information or data
  • have mandated privacy impact assessments, and
  • are technology neutral, which preserves relevance and applicability.

However, the GDPR expands obligations currently held by Australian businesses under the Privacy Act in the situations outlined below:


Consent cannot be assumed under the GDPR. It is mandatory to obtain consent in a manner which must be:

  • freely given
  • specific
  • informed, and
  • an "unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing" (Article 4).

Expanded rights for individuals

The GDPR includes a range of new and expanded rights for individuals:

  • The right to erasure. This gives individuals the right to require data controllers to delete their data in certain circumstances (sometimes referred to as the "right to be forgotten"). According to Article 17, the circumstances include where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
  • The right to object. This gives individuals the right to object at any time to the processing of an individual's personal data (including profiling). According to Article 21, if an objection is made in regards to certain types of processing (like direct marketing or legitimate business interests), the controller must immediately stop the data processing.
  • The right to data portability. Any individual, according to Article 20, has the right to receive the personal data they have provided to a controller in a "structured, commonly used, machine-readable format" and to transmit that data to another controller.
  • The right to restriction of processing. According to Article 18, the personal data of an individual may only be processed in certain limited circumstances and there may be a temporary restriction on the processing of data if an individual contests the accuracy of their personal data.

What Australian businesses should be doing now

Unlike the Privacy Act, where exemptions apply including for small business, all Australian businesses who meet the GDPR criteria must comply regardless of revenue. The penalties for non-compliance under the GDPR include being fined the higher of 20 million euro or 4% of the annual worldwide turnover for the preceding financial year. With penalties for breaching the Privacy Act only reaching $2.1 million, it could be a costly mistake for Australian businesses to ignore their required compliance with the GDPR.


Additional Information and Resources

OAIC Privacy Business Resource 21

EU GDPR Website and Text of Regulation

GDPR Checklist

The Information Commissioner’s Office Guide to the GDPR 

Financial Services Updates

Financial Services Updates