How GDPR will affect the role of the Company Secretary - Part I

D-Day for GDPR is almost here. Starting on the 25th of May, the new data protection law will become effective, and we wanted to take a closer to look at how it will affect Company Secretaries specifically in a series of two blogs.

What is GDPR?

The official GDPR portal states that “the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

Fundamentally, behind GDPR is an intent to give individual citizens greater control over how their data is used – especially in an era where organisations frequently swap and sell digital data online.

 

“Organisations involved in data processing of any sort need to be aware (that) the regulation addresses them directly in terms of the obligations it imposes.” - www.dataprotection.ie

 

Even post-Brexit, compliance will be vital for any company wanting to do business in the European Union. In fact, all organisations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens, fall within its scope, wherever in the world the company is based, even if the data is processed outside the EU.

The introduction of the GDPR represents a significant shift in the way organisations handle and store all the personal data they hold, and it will affect every aspect of their business. For this matter, many companies in the private sector will want to appoint Data Protection Officers, irrespective of their size and whether they are processing personal data in the capacity of a controller or a processor.

What is a Data Protection Officer?

A Data Protection Officer or DPO is a privacy professional tasked with monitoring compliance with the GDPR and other data protection laws, data protection policies, awareness-raising, training, and audits. The DPO will act as a contact point for data subjects and the supervisory authority.

In order to ensure full compliance, organisations can then decide to either appoint a third-party entity such as a law or IT firm to act as their external DPO or assign an existing employee. Most likely, we expecting they will appoint their Company Secretaries as their DPO, considering the nature of their work.

Company Secretaries and GDPR.

Peter Swabey, Policy and Research Director at ICSA, the Institute of Chartered Secretaries and Administrators says that “when GDPR comes into force decision-makers at the highest levels will need clear, reliable updates from those more closely involved in the management of data throughout the organisation.” He adds that “company secretaries will need to act as conduits for information from multiple functions including legal, HR, IT and other departments, such as customer services and marketing, in order to help board members to raise appropriate questions with management and assist respondents by highlighting important or missed considerations.” 

Sara Johns, Partner at Ogier, the renowned global legal firm, confirms as well how crucial the role of Company Secretaries will be. At the recent ICSA Conference in Jersey she highlighted how they will be pivotal in ensuring board effectiveness and reinforcing the engagement with GDPR throughout the business. Johns added “(Company Secretaries) are a conduit for data flow, heightened visibility- why you have the data you have, how it can be treated, and how long it can be held for.

Certainly, GDPR will extend the responsibilities for Company Secretaries adding more to their admin burden. If appointed as a DPO, they are potentially subject to criminal liability if the information supplied to the board is not correct or misleading.

We’ll take a look at how technology specifically can help Company Secretaries work smarter and ease the burden associated with GDPR compliance in our next blog. Stay tuned!

Helpful resources

  • ICSA’s EU General Data Protection Regulation guidance note here
  • ICO’s Guide to the General Data Protection Regulation (GDPR) here

Have any comments or thoughts on this? Please leave a comment or email us at info@cygnetise.com.

Authorised Trader Lists & MiFID II Compliance

Authorised Trader Lists & MiFID II Compliance

MiFID II requires buyers and sellers of financial instruments to be individually identified, either by a Legal Entity Identifier (LEI), or on a person by person basis, where those responsible for each trade are identified by name, date of birth and a ‘buyer identification code.’1

Why Decentralize?

Why Decentralize?

This purpose of this article is to simply highlight benefits of decentralisation with multi party approvals.  There are many aspects to this and unlimited examples.  We have attempted to just give the reader a flavour.