The new Data Protection Bill has already had its first and second readings in the House of Lords and will replace the UK’s current Data Protection Act 1998 (DPA) along with the general Data Protection Regulation (GDPR) on 25 May 2018. Also whatever happens regarding Brexit, the UK has committed to retaining the same principles and laws regarding Data Protection whether or not the UK is in the EU. UK companies should now be taking appropriate steps to ensure that they will be compliant with the new GDPR requirements.
Why the importance?
Well, to start off, serious breaches of the GDPR could lead to fines of up to €20 million or 4% of global group turnover, whichever is greater. In addition data subjects have enhanced rights under GDPR which can have a cost impact for businesses, and those rights may led to complaints which may lead to the risk of fines.
Why should Insolvency Practitioners take note?
Insolvent companies or individuals over whom Insolvency Practitioners are appointed will be regarded as “data controllers” for the purposes of the GDPR in relation to data relating to their employees and also in many cases in relation to their customer data. This is not relevant for information held by insolvent individuals for their own private use – just business use. Where Insolvency Practitioners are appointed as office-holder of the insolvent estate, it will be the responsibility of the Insolvency Practitioner to ensure that the insolvent estate over which they are appointed (as well as the Insolvency Practitioner and their staff) fully complies with the requirements of the GDPR.