GDPR: Governance implications for regimes outside the EU

Abstract

It is estimated that as of 2017 around 120 nations around the globe had legislation to protect personal data with at least another 30 in train. Many of the early regimes (dating back to the 1980s and 90s) reflect the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980, updated 2013). However, there are also increasing concerns that these guidelines may no longer be fit for purpose with recent issues regarding breaches of data security and privacy. The EU's General Data Protection Regulation (GDPR) (2016) implements a reformed data privacy regime. Tellingly, some of the new and pending privacy regulations elsewhere reflect the GDPR, a characteristic that suggests much about the impact of international trade. Two questions arise: first, how is the GDPR likely to affect and influence governance of organisations, not only those domiciled in the EU, but also those trading with the Union or having a presence there? Second, compared to the GDPR, what gaps are there in other existing privacy regimes and what are the implications for the governance of those organisations and their risk management strategies? This paper compares the GDPR with privacy regimes in place in New Zealand and Australia (the first of which has GDPR “approved country status” for receipt of data) and attempts to answer the questions above, thus providing a focus for empirical research. As such, the paper provides insight into the impact of the data privacy and security legislative reform, on corporate governance, strategy and risk management beyond the EU in its reach to far distant regions. © The Authors, 2018. All Rights Reserved.Proceedings of the 14th European Conference on Management, Leadership and Governance, ECMLG 201