Malcolm Niekirk recently presented a webinar for us on the GDPR. He has kindly answered the questions that we didn't get time to get round to on the day. The questions, a message from Malcolm and his answers are below.
Please note that the webinar, including answers given to questions during the broadcast and here, is for education and training only. How data protection regulation applies to your practice will depend on the particular facts. For advice on that, you would need to provide additional information and I may need you to sign an engagement letter. I might also ask you to agree to pay a modest fee. But do ask, you might be lucky!
Malcolm Niekirk - email@example.com - 07413 164814
Alternatively please raise any questions on the post below so we can ensure that any general points get disseminated more widely.
Question: It seems to me that it will be very difficult for an officeholder to sell a database in the future unless there are detailed records, which are up to date and accurate, demonstrating that all the boxes have been ticked. It would also seem that the usual "sold with no warranties, excluding all liability of the officeholder, etc, will no longer give any protection. Is my understanding correct?
I’m more optimistic. Clearly, each case will depend on its own circumstances. For example, it will require more care if there is ‘sensitive personal data’.
Personally, I’d start with similar principles as present.
Caveat emptor would be the first principle. I’d make sure the buyer accepts responsibility for identifying and putting right any deficiencies in the records they need to keep to comply with GDPR & DPA.
Legal compliance would be the second principle. I’d make sure the buyer undertakes to assess the data and destroy any of it for which the buyer cannot identify both a legitimate need, and a legal justification for keeping it and using it.
I could develop this theme; there are other points I could mention.
Question: Post GDPR can we dispose with individual DPA registration for each IP and rely on a firm registration?
It’s even better than that!
Nobody needs to register with the ICO after May 2018. So you can let both the IP and the firm registration lapse.
Question: How will Privacy Impact Assessments & Privacy by Design affect insolvency practitioners?
I dodged this question at the end of the webinar because it could easily develop into a theme by itself!
‘Privacy by Design’ is a legal requirement under GDPR. ‘Privacy Impact Assessments’ are the recommended way of getting to ‘Privacy by Design’.
Personally, I believe that there is an important principle of proportionality, based on the size of the organisation, the way it uses personal data, and how much personal data it holds.
Having said that, I’d go back to the point I made in the webinar that IPs planning to implement GDPR need to develop policies and procedures from three different perspectives:
1 The needs of their own practice, as a professional services firm.
2 The needs of themselves, as statutory appointment-takers, with personal responsibility and accountability.
3 The potential responsibility when becoming agent for a corporation which itself may have inadequate compliance. That will be different in a trading receivership (for example) and a liquidation break-up.
I am happy to discuss this further.
Question: Does an IP's insurance policy protect him for breaches where policy was followed but say a malicious employee releases sensitive data?
Ask your broker!
(If the broker says ‘no’, try another broker.)
Your policies and systems should make it difficult for someone to do this, and contain a plan for dealing with it if it happens.
Question: What I have taken from the presentation is that data on a case should be 'disposed of' safely and securely after a case is closed. However, taking the example of Green v Wright, what would happen if the data is required after a case is closed? However long should case data therefore be retained? How does this apply to time records? What about dealing bankruptcies with unrealised assets that have gone back to the OR?
And, a similar question from another delegate:
Regarding the destruction of data when no longer needed. When is this? For example, in personal appointments (IVAs and Green v Wright) there can still be requirements to take action re, eg, the realisation of assets after the case has been closed. At what point should/could you destroy the personal information?
You must delete personal data you no longer need (with greater security, if ‘sensitive’). Your policies and procedures will identify the need.
For example, legal claims may be brought for six years after the claim arises, as a general rule. You may therefore decide to keep your files for six years, so you can bring a claim if you need to, and so you can defend a claim, if there is an unreasonable idiot out there, with a completely unjustified sense of grievance.
Having identified the need, that allows you to keep the data.
Question: In respect of marketing databases where you have individuals’ names, role within the organisation and contact details, is it sufficient to send a Privacy Notice and assume 'implied' consent if no response or do you need them to explicitly confirm acceptance to their details being held on file?
Which marketing database? Your own firm’s? Or a third-party database that’s an asset in an insolvency? The issues will be different.
For your own firm’s database, I think it will be fine simply to send a privacy notice. You’ll want to do that before May, for existing contacts, and after May, as new contacts go on.
Some firms, may want to run a ‘do not contact’ database. Imagine how irritating it will be if you ask to take your name off a database, and then, a few days later, you get another email from them to tell you that they’ve just added your name. Particularly by the third time it happens.
The key issue is going to be in getting the wording of the privacy notice right.
Question: Where the IP has an outsourcer, how should the IP's go about ensuring that the outsourcer, as data processor, is compliant with the GDPR requirements?
There is no need for any particular formalities. Just record it in writing, make sure the outsourcer understands and agrees their responsibilities, and that you, and others, may seek financial redress if they don’t perform. Yep, a contract!
Question: Does data held have to be encrypted?
Actually, the full answer is a bit more complicated. Suppose you suffer a data breach. It’s much less of a problem if the stolen laptop has an encrypted hard drive, and the client files on it are themselves encrypted.
There was an example, under existing legislation, where a barrister was fined for losing a lap top which contained sensitive data that was not encrypted.
But neither the GDPR nor the Data Protection Bill require the use of encryption. It’s a practical measure rather than a defined regulatory requirement.
Malcolm, your answer to the question about DPA registration and fees seems to be at odds with the publication from the ICO https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf - point 5 that seems to say we need to register. Can you please clarify?