Are you geared up for your GDPR responsibilities?
Alison Curry reviews the requirements for IPs under Europe’s biggest change to data protection in more than two decades.
Any substantive change to business legislation requires insolvency practitioners to take a dual approach: we must consider both our own business responsibilities and make sure that the legislation permeates our approach to insolvency appointments. And so it is with the General Data Protection Regulation (GDPR).
What does GDPR do?
The data processing regime exists to ensure that the data privacy of EU citizens is protected. It imposes strict safeguards on the use of personal data by businesses and even higher duties where that data is particularly sensitive (or ‘special category’ as it is now called).
Jargon busting
Personal data is classified as any information from which a natural person can be identified directly or indirectly; so the application of GDPR is broad. It includes, for example, the names and addresses of individual creditors, the pay details of employees and the personal details of a company’s directors.
The definition of data processing is similarly wide and includes (among other things) the collection, organisation, storage, alteration, retrieval, use, dissemination and, perhaps most surprisingly, destruction of data.
A data controller is any natural or legal person that determines the purposes and means of processing personal data. That will necessarily include an insolvency practitioner in respect of personal data contained in their case files.
A data processor is a natural or legal person that processes personal data on behalf of a controller. So if you instruct an Employment Rights Act claims handler, for instance, they are likely to be a data processor.
Any processing of the personal data, whether by data controller or data processor, must comply with GDPR. Both data controllers and processors may be joint and severally liable in the case of any breach.
Legal bases
It is a requirement that data may only be processed where one or more of the specified legal bases apply, and these must be specified in advance of the processing commencing. You can specify more than one legal basis, but you cannot change the stated basis of processing once it has been defined.
What do I need to do?
GDPR requires organisations to demonstrate compliance with the principles set out in the legislation. In essence, businesses must demonstrate that the data is: needed; relevant and accurate; held securely and only for as long as is necessary; how and why it is held; and that it is only shared as necessary.
Your business must document what personal data it holds, on what basis and in what capacity, and by whom it will be processed. As a minimum, you will need a data processing register, register of data processors and a data breach register, though ideally, you should consider documented policies to deal with data security and breaches, retention and destruction, subject access requests and processor oversight. If you process sensitive (special category) data, which is likely to be the case, you must also have a documented policy describing your processing.
You must make available privacy notices that are relevant to the various categories of data subjects you encounter (business contacts, advice clients, personal insolvency clients, directors, shareholders, staff members etc), setting out your approach to personal data handing.
GDPR upon appointment
Prior to and upon appointment, you must understand and assess the risks that GDPR presents. Your checklists or work programmes should document GDPR considerations and their potential impact and you should be able to demonstrate that the entity’s current GDPR approach has been assessed, any risks are identified and, wherever possible, minimised.
If the entity’s personal data processing will continue post-appointment, you will need to assess the GDPR risks and ensure that the entity has in place the necessary consents and appropriate controls and policies surrounding its data processing.
If personal data is likely to be transferred as part of a going concern sale, you should check whether that data is transferable and whether consent to transfer has been given or is required, with the benefit of legal advice.
Existing cases
Data subjects may be notified of changes to the relevant privacy policy by way of a link to your website on the next opportunity for communication. It seems you do not need to contact individual data subjects in closed cases, however, you should consider how you will deal with any subject access requests relating to these appointments and satisfy yourself that personal data is securely stored.
Assistance
There is lots of generic advice out there, but little if any of that is insolvency-specific. That’s where we can help. We have designed policy documents for insolvency practitioners, a GDPR checklist for use on appointments and sample privacy notices for the different categories of people that insolvency practitioners will encounter. Our full suite of GDPR documents is available for £1,850 (plus VAT). We can also provide Data Protection Impact Assessment screening, in-house training and support staff training and induction. If you would like to know more about how we can tailor our services to help you meet your GDPR obligations, please contact Alison Curry at [email protected].
Alison Curry is a licensed insolvency practitioner at Insolvency Support Services Ltd, with over 20 years of practice experience, including six years as head of regulatory standards at the Insolvency Practitioners Association.
This article first appeared in Recovery News, the newsletter of R3, the Association of Business Recovery Professionals.