What is the GDPR?
Key features of GDPR relevant to insolvency practitioners (IPs)
- strict obligations to maintain records of what personal data is collected, how it is used, processed and managed (including security measures) with limited exceptions to this rule
- obligation to document compliance with GDPR
- prescribed individuals’ rights: to object to use of information; to access to data; to rectification and deletion (i.e the “right to be forgotten”)
- requires mandatory reporting of data breaches (within 72 hours of detection)
- data protection impact assessments required where collection and processing of data carries high risk
- new obligations on “data processors” and more detailed requirements for the contracts between data controllers and processors
- a requirement for contracts between joint controllers outlining their respective responsibilities
- significant fines introduced for breaches of GDPR (up to 20M EUR/4% of global turnover)
- private right of action for pecuniary and non-pecuniary damages and joint and several liability for controllers and processors.
The GDPR prescribes new responsibilities for “data controllers” (being those persons who are responsible for the purposes and means of the processing of personal information) and directly applies to “data processors” (those who process personal data on behalf of the data controller). In corporate insolvency proceedings, the classification of the IP as a joint controller or processor will depend on the circumstances and the contractual arrangements between the parties as to whether the company ultimately remains liable for compliance. In order to ensure the company complies with its duties, the IP will need to be alive to the obligations (of both controllers and processors) as set out in the GDPR.
In the course of their appointment, IP’s are likely to encounter personal information both in relation to the insolvent entity itself (e.g. the company’s customer and employee databases) and also in relation to information generated in the course of their appointment as office holder (e.g. creditor, debtor and director information where such individuals are natural, living persons). Given the scope of the GDPR (including the sanctions for non-compliance), IP’s and their advisors should ensure they are well aware of the obligations and identify, pre-appointment, the relevant compliance issues to be addressed.
Achieving reasonable compliance with the GDPR requirements before the May 2018 deadline will require focus, legal and technical support and the participation of all key departments, not just IT. Below are some of key points to focus on in preparation for the GDPR coming into force:
- review what personal data will be held, where it came from, where it is held and what purpose it is retained for
- be alive to the need to demonstrate compliance: keep adequate records of what data is collected, the basis for collecting it, how long is it kept for and if shared/transferred outside EU
- ensure there are adequate procedures in place for promptly responding to individual requests (see individual’s rights above)
- review data breach response procedures for insolvent company (and IP’s firm policy where breach may relate to practitioner-generated data)
- when appointed over major data holding companies (especially financial businesses) consider level of risk to the rights of individuals and ensure adequate measures (including IT security) is in place (this will be of significant importance when selling data assets in a formal insolvency process)
- review any current privacy notices and ensure they are GDPR compliant
- consider the types of processing activities you/the company carries out and identify and document the lawful basis for doing so
- where consent is required, check how a data subject’s consent has been sought, recorded and managed and consider what remedial steps may be required to bring it up to GDPR standard. To be GDPR compliant, where consent is required, it must be freely given, specific, informed and unambiguous. There must be a positive opt-in and children must, in most cases, be 16 in order to give valid consent
- consider designating a person to carry out the Data Protection Officer functions set out in the GDPR (if not already in place). DPOs must be appointed in relation to any entities which carry out the regular monitoring of individuals on a large scale and those which carry out large scale processing of special categories of data, such as health records or information about criminal convictions.
The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.
If you are a LexisPSL Subscriber, click the link below for further information:
Not a subscriber? Find out more about how LexisPSL can help you and click here for a free trial of LexisPSL Restructuring and Insolvency. This is an abridged version on that first published on LexisPSL Restructuring and Insolvency