The new Data Protection Bill has already had its first and second readings in the House of Lords and will replace the UK’s current Data Protection Act 1998 (DPA) along with the general Data Protection Regulation (GDPR) on 25 May 2018. Also whatever happens regarding Brexit, the UK has committed to retaining the same principles and laws regarding Data Protection whether or not the UK is in the EU. UK companies should now be taking appropriate steps to ensure that they will be compliant with the new GDPR requirements.
Why the importance?
Well, to start off, serious breaches of the GDPR could lead to fines of up to €20 million or 4% of global group turnover, whichever is greater. In addition data subjects have enhanced rights under GDPR which can have a cost impact for businesses, and those rights may led to complaints which may lead to the risk of fines.
Why should Insolvency Practitioners take note?
Insolvent companies or individuals over whom Insolvency Practitioners are appointed will be regarded as “data controllers” for the purposes of the GDPR in relation to data relating to their employees and also in many cases in relation to their customer data. This is not relevant for information held by insolvent individuals for their own private use – just business use. Where Insolvency Practitioners are appointed as office-holder of the insolvent estate, it will be the responsibility of the Insolvency Practitioner to ensure that the insolvent estate over which they are appointed (as well as the Insolvency Practitioner and their staff) fully complies with the requirements of the GDPR.
The headline GDPR requirements from an insolvency perspective are as follows:
- While Insolvency Practitioners will not have to register as “data controllers” under the GDPR, Insolvency Practitioners will have to comply with the GDPR’s new “accountability principle” and, by way of example, maintain adequate records of how they are using, processing and managing any personal information or data within the insolvent estate’s books and records or obtained by the Insolvency Practitioners as a result of their investigations and how it is being done in a GDPR compliant way.
- While Insolvency Practitioners will already be familiar with receiving subject access requests under the DPA, the GDPR will now expressly require any such requests to be dealt with “without undue delay” and in any event within one month.
- If a data breach occurs, the GDPR will now require many data breaches to be reported to the ICO, whereas under the DPA reporting obligations are currently only voluntary.
- If Insolvency Practitioners are appointed over estates that trade or deal with personal data, they will need to consider undertaking a data protection impact assessment before offloading or selling any data assets to third parties.
- Contracts between “data controllers” and “data processors” (those who process personal data on behalf of “data controllers”) will need to be more detailed, and the same will apply to contracts between joint controllers.