Speaking today at an event organised by the Irish Region of ICSA: The Governance Institute, at the offices of William Fry in Dublin, Helen Dixon, FCIS, Data Protection Commissioner said that a key challenge for company secretaries and others involved in managing personal data will be recognising whether their role comprises being a 'data controller' or a 'data processor', understanding the key elements of both roles and then having binding written contracts in place that delineate these responsibilities.
The Commissioner highlighted the types of damage to individuals that controllers and processors need to guard against when processing personal data. These include discrimination, identity theft or fraud, financial loss, damage to the reputation or loss of confidentiality of personal data protected by professional secrecy.
Ms Dixon stated accountability by organisations for personal data will be a corner stone under the new GDPR legislation. All organisations will have to implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the new General Data Protection Regulation. She also emphasised, however, that the GDPR does advocate a risk-based approach making it scalable for small and large data processing organisations.
This European led legislation is also designed to make data protection more transparent and reduce data protection vulnerabilities. A key requirement arising from the new regulation is the requirement to report data breaches within 72 hours. In cases "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons", then the data controller will be required to notify the data subject of this breach without undue delay.
Also new in the Regulation are:
- A higher bar for relying on consent of individuals to process their data
- New and enhanced data subject rights
- New significant administrative fines for contraventions of the legislation
- The requirement to appoint a Data Protection Officer in certain organisations
Ms Dixon summarised the new enhanced rights of the data subject which include amongst others, the right to data portability, to be informed, to have their data erased and the right to restrict processing of their data. The Commissioner added that with regard to transparency when collecting personal data, a data controller should "provide information relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular, for any information addressed specifically to a child".
Following Ms Dixon's talk, a panel discussion took place led by industry expert David Cullen, Partner and Head of Technology at William Fry, and Denis Kelleher, Senior Legal Counsel from the Central Bank of Ireland. They discussed the challenges facing company secretaries in navigating the forthcoming General Data Protection Regulation scheme. Among the topics discussed were the ability and readiness of regulated entities to comply with the regulation, the impact on the company secretary in maintaining registers and the challenges in maintaining the Register of Beneficial Owners in the context of the new regulation.
Irish Region of the Institute of Chartered Secretaries and
Dublin 10th October 2017