We use cookies to make this site as useful as possible. Read our cookie policy or ignore.

Data Protection Commissioner says firms need binding written contracts delineating controller and processor roles for GDPR

Dublin, 10 October 2017 – Speaking today at a General Data Protection Regulation (GDPR) event organised by the Irish Region of ICSA: The Governance Institute at the Dublin offices of William Fry, Data Protection Commissioner Helen Dixon FCIS said that a key challenge for company secretaries and others involved in managing personal data will be recognising whether their role comprises being a ‘data controller’ or a ‘data processor’. She urged organisations to understand the key elements of both roles and then have binding written contracts in place that delineate these responsibilities.


The Commissioner highlighted the types of damage to individuals that controllers and processors need to guard against when processing personal data. These include discrimination, identity theft or fraud, financial loss, damage to the reputation or loss of confidentiality of personal data protected by professional secrecy.


Ms Dixon stated accountability by organisations for personal data will be a cornerstone under the new GDPR legislation. All organisations will have to implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the new General Data Protection Regulation. She also emphasised, however, that GDPR does advocate a risk-based approach making it scalable for small and large data processing organisations.


This European led legislation is also designed to make data protection more transparent and reduce data protection vulnerabilities. A key requirement arising from the new regulation is the requirement to report data breaches within 72 hours. In cases “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”, then the data controller will be required to notify the data subject of this breach without undue delay.


Also new in the regulation are:


  • A higher bar for relying on consent of individuals to process their data
  • New and enhanced ‘data subject’ rights
  • New significant administrative fines for contraventions of the legislation
  • The requirement to appoint a Data Protection Officer in certain organisations.


Ms Dixon summarised customers’ new enhanced rights, which include the right to data portability, to be informed, to have their data erased and the right to restrict processing of their data. The Commissioner added that with regard to transparency when collecting personal data, a data controller should “provide information relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular, for any information addressed specifically to a child”.


Following Ms Dixon’s talk, a panel discussion took place led by industry expert David Cullen, Partner and Head of Technology at William Fry, and Denis Kelleher, Senior Legal Counsel from the Central Bank of Ireland. They discussed the challenges facing company secretaries in navigating the forthcoming General Data Protection Regulation scheme. Among the topics discussed were the ability and readiness of regulated entities to comply with the regulation, the impact on the company secretary in maintaining registers and the challenges in maintaining the Register of Beneficial Owners in the context of the new regulation.

 - Ends -


For further information, please contact


Ruairí Cosgrove, Chair of ICSA Ireland


+353 (0)1 792 6070


John Burns


+353 (86) 88 88 949

Notes to Editors:

  1. ICSA: The Governance Institute is the professional body for governance. We have members in all sectors and are required by our Royal Charter to lead ‘effective governance and efficient administration of commerce, industry and public affairs’. With over 125 years’ experience, we work with regulators and policy makers to champion high standards of governance and provide qualifications, training and guidance.
    Website: icsa.org.uk
  2. ICSA Ireland is the representative body of ICSA: The Governance Institute in the Republic of Ireland. The Irish region is governed by its own Council and sub-committees representing all areas of business in which the members work. ICSA Ireland has approximately 600 members and 200 students with many of its members working in the corporate and professional services sectors.
    Through its Council and sub-committees it provides a range of services to members and students, including the organisation of educational and social events. Council also makes representations and submissions to Government Departments and Governance Forums on behalf of the ICSA members.
    Website: icsacharteredsecretaries.ie