In his latest Coffee Break Briefing webinar, Frettens’ own Insolvency Guru Malcolm Niekirk looked at GDPR – SARs and business sales.
This is the summary of that briefing.
If you'd like to watch the webinar back, you can do so below, if not, read on for our summary...
Quick Links
- What is GDPR - a refresher
- The legal obligations of GDPR
- Subject Access Requests
- Business Sales
- Upcoming Events
What is GDPR?
GDPR is a statutory law of privacy and its purpose is to give all citizens rights against organisations who hold information about us.
GDPR is international legislation though it originated in the UK with the Data Protection Act 1984.
The basic principle behind it is that each of us should have the right to control the information that organisations hold about us.
When I spoke about this in September 2022, I suggested that there is a ‘golden rule’ regarding GDPR – Those running organisations should treat the information that they possess in the same way as they would like other organisations to treat the information on themselves.
The legal obligations of GDPR
You should:
- Take only the information that you need.
- Keep only what you are allowed to use.
- Record your right to use it:
- Consent is not the only way to authorise use.
Another legal requirement is that organisations should set and follow their own policies, procedures and documents.
Some information is inherently more confidential than others and has a higher degree of legal protection to it.
The data controller
Any entity, typically a company or LLP, that has a database of people will have to comply with GDPR.
As an insolvency practitioner you are likely to have GDPR coming at you from three different directions:
1. As an appointment-taking office holder you are going to be a data controller in that capacity for some purposes:
a. You should be registered (‘notified’) with the Information Commissioner’s Office for compliance with that.
2. Your firm itself is going to be a data controller for some purposes and will have its own obligations of compliance, independent from yours as office holder.
3. When you take appointment as liquidator or administrator (for example) over a company that is itself a data controller with its own GDPR obligations:
a. You won’t be directly responsible for making sure that the company complies with its obligations. You don’t replace the company as data controller. The company continues to have those responsibilities.
The degrees of confidentiality under GDPR
GDPR protects some information but not all information.
Data protected under GDPR from least to most protected is as follows:
- Personal data is any information about any living human being – this is protected by GDPR. If it’s anything else (not personal data) it is not protected by GDPR, but there might be other contractual or professional duties of confidence.
- Financial and identification data is not a different category under GDPR, but there is obvious damage that could be done if you inadvertently release this type of data.
- Sensitive (‘special category’) personal data.
- Criminal records.
What is Special Category data?
GDPR has tighter rules about when you can take, keep or use this.
Special category data includes information about someone’s health, sexual life, religion, political opinions, racial or ethnic origins and trade union membership.
Why is criminal record data so sensitive?
These rules apply to information about crimes that are alleged, prosecuted, convicted, or sentenced.
Examples you may have on your files might include CDDA offences, bankruptcy offences and allegations of fraud.
When can you hold, take and use personal data?
There are six bases:
- Consent – when the individual has given you consent to use it.
- Contractual – if you are performing a contact with that person and you need data to carry out your obligations.
- Legitimate interest – you have legitimate interest of some sort. You will also need to show that you need to use this data to achieve the interest. And you will have to balance your use of the data against the interests of the individual.
- To perform legal obligations.
- When acting in the public interest or exercising official authority.
- Vital interests (life or death, as a last resort).
Privacy notices
When you start collecting information about someone, you must tell them in writing:
- What you intend to use it for.
- How long you will keep it.
- Who you will share it with and who will see it.
- How you are entitled to use (e.g. consent).
- What the legitimate interest is (if any).
- And much else…
Subject Access Requests (SARs)
What are Subject Access Requests?
When you are a data controller, people have the right to know when you have a file on them, what is on that file (including copies) and any other information (such as that included in a privacy notice).
SARs may come to you, as an office holder, to your firm (the data controller for its own business) or the bust company (which is a data controller too).
How to comply with a Subject Access Request?
Firstly, you should check who is the data controller. Next, remember that other people may have privacy rights over the information on your file (under GDPR or some other basis).
You normally have one month to comply with a SAR. It’s best to ask for ID first before doing anything. The time does not start to run until they have proven their identity.
Normally, you can’t charge the individual asking for answering their request.
How to comply with a SAR when the bust company is the data controller
In this situation, you won’t become the data controller – so compliance may be an expense, but is not a personal liability.
You are entitled to look at whether the cost of compliance is disproportionate and if it is you are able to say to the person making the request something along the lines of…
‘I’m terribly sorry, I’m not able to make funds available to the company to deal with your request. Here is a proof of debt form, please lodge a claim as a creditor in regard of the company’s inability to provide this information to you.’
Before you do this, you should find out from them why they want the information. You can then assess whether the cost of compliance is disproportionate or not.
If the SAR is addressed to you as the insolvency practitioner, firstly check that this is information for which you are the data controller. If the request is for information from the bust company’s records or your firm’s records then you won’t be data controller for it.
How to comply with a SAR when you are the data controller
Assuming it is your responsibility, you need to think about whether they are entitled to the information that they’re asking for and whether you’re willing to supply it.
You might be willing to supply information that they’re not entitled to have (if so, think about whether that might prejudice third parties’ rights).
You might prefer not to supply information that they can demand. Your willingness may not be a valid reason to withhold information.
When can you refuse to provide information for a Subject Access Request?
The exemptions are specific and detailed. But, broadly speaking, examples include:
- Prejudice to your negotiations with them.
- Legal privilege.
- Criminal investigations.
- Prejudice to ‘public interest’ work (e.g. CDDA investigations).
You can redact documents you release (to remove information that falls into one of the exemptions).
Business Sales
What databases do businesses hold?
Businesses will often hold several databases such as employee, marketing, customer and supplier databases.
In additional, they will likely hold working files such as a professional service firm’s client records, a school’s pupil records and a care home’s residents’ records.
Issues with information on those databases
Issues about the information on those databases may include:
- Where they are (cloud, server, etc.).
- Software licences.
- Copyright.
- Access codes and passwords.
- Who else has copies.
- GDPR.
- Whether the records are reliable.
Day one issues
These are the issues you’re going to need to think about from day one:
- Can you trust the bust company’s systems, how reliable and robust are they?
- Does the bust company have useful or valuable data?
- Is the company registered with (‘notified to’) the ICO?
- How will you need to use it?
- Suppose it goes wrong – how many may be affected and how bad may it be for them?
- What do you need to change now?
- What do you need to look into?
What trading issues might arise?
Here’s some considerations:
- What trading might you do?
- How long might the business stay open for?
- What is the risk (looking at the issues mentioned above)?
- How often should you review this?
Make the changes identified in your review.
Can you sell the data?
This is another important point. You need to look at what the privacy policy says – a surprisingly large number of them say that they will never sell or give away information to a third party.
You might find that this is only a headline and that there is small print which allows you to sell the data. If this isn’t the case, you can change the privacy policy by telling all users and informing them what the effect is. They will have the right to object to the change.
Can the buyer use the data?
Just as TUPE tends to be more the buyer’s problem rather than the seller’s, but getting it right can have a positive effect on how much you sell the business for – so is GDPR.
If there are GDPR issues with the database, they’re going to be more of a problem for the buyer than you.
Sorting out those issues in the course of the sale can help to maintain the value of the database.
You’ll need to check that the buyer is notified to the ICO, and that the sale agreement deals with any irrelevant stuff in the company’s records that get passed to the buyer. Make it clear that the buyer can’t use it and that they must delete it securely.
GDPR & TUPE – the ‘data room’
The buyer is entitled to certain information about employees before the sale takes place.
As the seller has a legal obligation to provide it, that forms the lawful basis for you to supply it.
The buyer will ask for other information about the business. Where possible, hold back personal information. Otherwise:
- Check the buyer is notified to ICO.
- Get a good NDA (with obligations of confidentiality under GDPR recognised).
- The NDA should include destruction obligations for irrelevant personal information and all personal information when no longer needed.
Upcoming events
Thanks for reading this summary…
My next Coffee Break Briefing is coming up on Monday 3rd April 2023, when I’ll be looking at tenants in liquidation. The link to book on will be sent out to the usual email list in due course.
If you’re not already, you can sign up to our email list here.
And Frettens’ Second Annual Insolvency Conference is set to be held on 12th May 2023. Again, more details to follow.
Specialist Insolvency Solicitors
If you have any questions after reading this article, please don’t hesitate to get in touch with our bright and experienced team.
Call us on 01202 499255, or fill out the form at the top of this page, for a free initial chat.
Comments