Last week’s blog post flagged up the changes being implemented by the General Data Protection Regulation (GDPR) due to come into force on 25 May 2018. This week we’re looking at some of the issues that might arise on a lending transaction.
Borrowers will often be businesses who are under an obligation to comply with the GDPR. It is important that those involved in corporate lending understand the obligations so that borrowing clients can be steered accordingly. The bank or funder that you work for may have everything in hand for its own compliance, but what about those you are lending to?
Higher risk transactions
Although the GDPR applies to all businesses, sectors handling large volumes of personal information need to be particularly on the ball. If you have a customer in this category, it may well be worth checking they have matters in hand rather than taking a wait-and-see approach. For example, healthcare, education (or other businesses linked to children or that process special categories of personal data – formerly known as “sensitive” personal data), big data businesses, professional services and many retailers (particularly those with online services).
Your customer may have everything in hand but if they are acquiring another business they need to be reviewing that target business to ensure it too will be compliant in time in order to continue with its everyday business following completion.
The transaction may also need to take into account concerns such as:
- data rights of employees;
- how the buyer intends to use the data and if this will require new consents from individuals;
- sub-contracts with contractors who process personal data to ensure they comply with the new requirements under the GDPR;
- weaknesses in the target’s cyber security that put it (and possibly the buyer group) at higher risk of attack; and
- whether the target needs to appoint a Data Protection Officer.
Acquisition agreements can include provisions to address GDPR risk but these are no replacement for good due diligence.
The GDPR will extend to all businesses processing the data of individuals who reside in the EU, regardless of the location of the business. So it will be important that a borrowing company that is not based in the EU is informed of the need for strict control over EU residents’ personal data.
The GDPR also introduces the following key changes which are of relevance to businesses:
- accountability – it will not be enough for a business to be compliant with the GDPR and they will also be expected to demonstrate compliance. Records will need to be maintained about the flow and use of personal data and policies and procedures will need to be documented and updated regularly.
- breach notifications – any notification of a data breach, where there is a risk that the rights and freedoms of an individual could become compromised, must be reported to the relevant supervisory authority within 72 hours. Where this is a high risk, individuals may also need to be informed.
- right to access – individuals must be notified about the data held on them, how it is being processed and for what purpose. They can also seek copies of their data and this must be provided without charge within one month. Your customers are likely to need to update their processing notices and will need to have an efficient IT system in place along with the ability to record where exactly data is held in order to comply with these requirements.
- privacy by design and default – this requires the design of any new IT, or other, system to include data protection systems from the outset.
What should organisations be doing?
All organisations should be looking at the implications of the GDPR now. A fundamental starting point is to audit all processes and procedures relating to the processing of personal data. This will require input from most areas of an organisation including IT, compliance, legal and HR.
Questions to ask of your own business if you have not started the process and questions your corporate customers should be asking include:
- Do you know what data your organisation holds, about whom, and why?
- Where did the data come from and where is it held?
- Who else has access to it?
- What are your policies on the life cycle of data processing?
- Do your agreements, policies and procedures comply with the requirements under the GDPR?
- Might you need to appoint a Data Protection Officer?
Lenders are not legal experts, and won’t be expected to provide exhaustive advice when providing financial services. However, having a basic understanding, which may well stem from your company’s own GDPR initiatives, can help you know which questions to ask or why it is an issue.