Governance Briefing — September 11, 2023

The Organisation for Economic Co-operation and Development (OECD) released the revised G20/OECD Principles of Corporate Governance on 11 September 2023, marking the first update since 2015. Endorsed by G20 Leaders days earlier in New Delhi, the 2023 text reflects lessons from the pandemic, climate risk, digitalisation, and evolving capital markets. The Principles remain the global benchmark for policymakers, regulators, and companies shaping corporate governance frameworks. Boards must digest the strengthened expectations around sustainability oversight, shareholder engagement, and data governance, and implementation teams need roadmaps for adapting internal policies, disclosure controls, and DSAR processes to the updated guidance.

The revised Principles add a new Chapter VII on “Sustainability and resilience,” reinforcing that boards should oversee material sustainability matters, integrate climate and broader ESG risks into strategy, and ensure access to expertise. The chapter calls for robust internal control and risk management systems that cover sustainability metrics, scenario analysis, and disclosures. Boards are encouraged to align incentives with long-term value creation and to monitor supply-chain due diligence. These enhancements require governance committees to refresh charters, define accountability for climate and human rights oversight, and secure reliable data flows from operations, procurement, and compliance. Because sustainability metrics often rely on workforce and stakeholder personal data, privacy teams must align DSAR procedures with the expanded transparency obligations.

Chapter V on disclosure and transparency now stresses the importance of sustainability reporting, greenhouse gas emissions data, and forward-looking information. It recommends that disclosures be based on high-quality standards, subject to assurance, and accessible to stakeholders. Companies should evaluate whether their reporting frameworks—such as IFRS S1/S2, ESRS, or jurisdictional standards—meet investor expectations and regulatory mandates. Implementation teams must enhance data governance to capture accurate, complete, and timely information. They should also harmonise financial and non-financial reporting processes, ensuring that DSAR teams can trace published sustainability metrics back to the individual-level data that data subjects may request under GDPR or other privacy regimes.

The Principles emphasise digitalisation throughout. Chapter IV recognises that stakeholders, including employees and customers, increasingly rely on digital platforms to interact with companies. Boards are urged to oversee data governance policies that protect privacy, cybersecurity, and the ethical use of artificial intelligence. Chapter VI on the responsibilities of the board calls for directors to ensure internal controls cover digital risks and to obtain the necessary skills to oversee technology. Companies should therefore integrate privacy and cybersecurity officers into board reporting routines, expand director training on data governance, and document how DSAR obligations fit within digital transformation initiatives. Logging DSAR metrics alongside cyber incident reports during board meetings provides evidence that directors are fulfilling these updated expectations.

The revised text also strengthens expectations for shareholder engagement and ownership disclosure. Chapter II encourages regulators to ensure that ownership structures are transparent and that shareholders have equitable voting rights. Chapter III urges institutional investors to adopt stewardship codes, disclose voting policies, and manage conflicts of interest. Corporate secretaries should reassess investor relations policies, proxy engagement strategies, and beneficial ownership tracking systems. Implementation steps include upgrading share registry platforms, mapping communication channels with minority investors, and ensuring that DSAR processes can accommodate shareholder access requests, including those relating to personal data held in share registers or voting platforms.

Policymakers are expected to align national codes and listing requirements with the updated Principles. Companies operating across jurisdictions should monitor legislative timelines—such as the European Union’s forthcoming Corporate Sustainability Due Diligence Directive, U.S. SEC rulemaking, and Asia-Pacific stewardship reforms—to anticipate mandatory changes. Implementation teams should maintain regulatory inventories and assign owners to track developments, ensuring that governance practices remain aligned with emerging rules. Cross-border groups must harmonise policies so DSAR handling for shareholders, employees, and stakeholders remains consistent, even when local privacy laws differ.

The Principles highlight the need for effective whistleblowing mechanisms and stakeholder grievance processes. Boards should oversee anonymous reporting channels, protect whistleblowers from retaliation, and ensure investigations are independent. These systems generate sensitive personal data and often lead to DSAR submissions from reporters or individuals named in complaints. Organisations should create protocols that balance transparency with confidentiality, maintain audit trails for investigations, and coordinate with data protection officers to manage DSAR responses without compromising legal privilege or retaliation safeguards.

Implementation sequencing can follow a governance maturity model. Phase 1 should involve a gap assessment comparing existing board practices, policies, and disclosures with the updated Principles. Companies can map each chapter to responsible functions—board committees for oversight, finance for disclosures, legal for shareholder rights, HR for workforce engagement, and privacy for DSAR handling. Phase 2 can prioritise quick wins, such as updating board competency matrices, enhancing director induction materials, and codifying ESG oversight in committee charters. Phase 3 can address more complex initiatives, including integrated reporting, supply-chain due diligence, and technology governance frameworks that incorporate privacy-by-design.

Metrics and monitoring play a central role. Boards should receive dashboards that track progress against Principle-aligned goals, including adoption of sustainability reporting standards, DSAR response times, shareholder engagement frequency, and outcomes of whistleblowing investigations. Internal audit can expand its assurance plans to cover sustainability data controls, digital governance, and shareholder rights processes. External auditors and assurance providers may seek evidence that the company has incorporated the Principles into its governance system, so maintaining documentation—board minutes, policy updates, training records, and DSAR logs—will be critical.

The OECD also underscores the importance of high-quality data governance systems. Chapter V encourages the use of digital tools for disclosure while guarding against misuse of personal data, and Chapter VI expects boards to oversee internal audit and compliance programmes that cover data integrity. Organisations should invest in master data management, lineage documentation, and automated validation that link sustainability metrics, financial results, and DSAR inventories. When investors, employees, or community representatives seek access to records underpinning public reports, these capabilities enable fast, consistent responses that demonstrate respect for both transparency and privacy.

Finally, the Principles encourage policymakers and companies to support MSMEs and state-owned enterprises (SOEs) in strengthening governance. Larger enterprises should use their influence to cascade responsible practices through supply chains and joint ventures, including providing templates for governance policies, sustainability reporting, and privacy management. DSAR support clauses in supplier contracts can help smaller partners honour data subject rights without compromising security. By embedding the OECD’s 2023 revisions into governance frameworks, companies not only align with global best practice but also build trust with investors, regulators, and stakeholders who expect transparent, accountable, and privacy-conscious corporate behaviour.