What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation designed to strengthen and harmonise data protection rules for processing data of all individuals within the EU and covers the transfer of such personal data outside the EU. One of the aims of the new legislation is to give control back to individuals over their personal data by establishing new rights for individuals in relation to their data and imposing more stringent obligations on companies that collect and process personal data.
Notwithstanding Brexit, the UK government intends to incorporate the GDPR into UK law, overriding the Data Protection Act 1998. GDPR will become immediately effective in the UK on 25 May 2018. This blog looks at the GDPR from the perspective of the insolvency practitioner and what you may need to do to ensure compliance.
Key features of GDPR relevant to insolvency practitioners (IPs):
- strict obligations to maintain records of what personal data is collected, how it is used, processed and managed (including security measures) with limited exceptions to this rule
- obligation to document compliance with GDPR
- prescribed individuals’ rights: to object to use of information; to access to data; to rectification and deletion (i.e the “right to be forgotten”)
- requires mandatory reporting of data breaches (within 72 hours of detection)
- data protection impact assessments required where collection and processing of data carries high risk
- new obligations on “data processors” and more detailed requirements for the contracts between data controllers and processors
- a requirement for contracts between joint controllers outlining their respective responsibilities
- significant fines introduced for breaches of GDPR (up to 20M EUR/4% of global turnover)
- private right of action for pecuniary and non-pecuniary damages and joint and several liability for controllers and processors
The GDPR prescribes new responsibilities for “data controllers” (being those persons who are responsible for the purposes and means of the processing of personal information) and directly applies to “data processors” (those who process personal data on behalf of the data controller). In corporate insolvency proceedings, the classification of the IP as a joint controller or processor will depend on the circumstances and the contractual arrangements between the parties as to whether the company ultimately remains liable for compliance. In order to ensure the company complies with its duties, the IP will need to be alive to the obligations (of both controllers and processors) as set out in the GDPR.
In the course of their appointment, IP’s are likely to encounter personal information both in relation to the insolvent entity itself (e.g. the company’s customer and employee databases) and also in relation to information generated in the course of their appointment as office holder (e.g. creditor, debtor and director information where such individuals are natural, living persons). Given the scope of the GDPR (including the sanctions for non-compliance), IP’s and their advisors should ensure they are well aware of the obligations and identify, pre-appointment, the relevant compliance issues to be addressed.
Achieving reasonable compliance with the GDPR requirements before the May 2018 deadline will require focus, legal and technical support and the participation of all key departments, not just IT. Below are some of key points to focus on in preparation for the GDPR coming into force:
- review what personal data will be held, where it came from, where it is held and what purpose it is retained for
- be alive to the need to demonstrate compliance: keep adequate records of what data is collected, the basis for collecting it, how long is it kept for and if shared/transferred outside EU
- ensure there are adequate procedures in place for promptly responding to individual requests (see individual’s rights above)
- review data breach response procedures for insolvent company (and IP’s firm policy where breach may relate to practitioner-generated data)
- when appointed over major data holding companies (especially financial businesses) consider level of risk to the rights of individuals and ensure adequate measures (including IT security) is in place (this will be of significant importance when selling data assets in a formal insolvency process)
- review any current privacy notices and ensure they are GDPR compliant
- consider the types of processing activities you/the company carries out and identify and document the lawful basis for doing so
- where consent is required, check how a data subject’s consent has been sought, recorded and managed and consider what remedial steps may be required to bring it up to GDPR standard. To be GDPR compliant, where consent is required, it must be freely given, specific, informed and unambiguous. There must be a positive opt-in and children must, in most cases, be 16 in order to give valid consent
- consider designating a person to carry out the Data Protection Officer functions set out in the GDPR (if not already in place). DPOs must be appointed in relation to any entities which carry out the regular monitoring of individuals on a large scale and those which carry out large scale processing of special categories of data, such as health records or information about criminal convictions.