data security


By Tom Murray, Friel Stafford Chartered Accountants

Whilst many businesses started their preparation for the EU General Data Protection Regulation (GDPR) some time ago, many insolvency practitioners are now just starting to wake up to the implications caused by GDPR and are beginning to appreciate how they will have to change many of their protocols and procedures.

In simple terms, insolvency practitioners need to be aware of their responsibility to comply with the following in order to be compliant with the new GDPR regulations:

  1. Mandatory notice obligations i.e. immediate changes required to ‘First Day’ letters to creditors, employees, directors and tenants. In terms of the mandatory notice obligations, the IP must provide notice to individuals explaining how personal information will be used and shared in a manner that is clear, concise, transparent, intelligible and easily accessible.
  2. The stricter rules on consent to using data.
  3. Their accountability for the data they maintain – record keeping, data privacy impact assessments, appointment of data privacy offcers.
  4. Greater obligations imposed on third party contracts.

It should be noted that failure to comply with the above will lead to fines for breach of or noncompliance with the regulations.

Matters to consider upon appointment

When taking a new insolvency appointment, the IP should ask him/herself the following:

  • Is the company GDPR compliant? As part of this, ask to see evidence of processes and procedures.
  • Where are books and records held and are they secure?
  • Are books and records ‘in the Cloud’; are they secure?
  • What happens if the ‘Cloud’ provider claims a lien for IT costs?
  • What type of business it is?
  • What type of data is held?
  • What data needs to be collected, should the remaining data be destroyed through confidential shredding and what is the process for the disposal of old computer equipment?

Sale of Business / Assets

If an IP is selling on a business or specific assets, the IPs will need to ensure that the disclosure of any data during a due diligence process is in compliance with the GDPR (kept secure, redacted, limited by purpose etc.).

IP’s are prohibited from selling ‘data’ to parties either inside or outside the EU. In this respect, if IT equipment is sold then it must be ‘wiped’ of any personal data that is not included in the sale. What this means is that the commercial reality is that the requirements of GDPR will make it more diffcult for some ‘databases’ to be sold.

In circumstances where disposing of the company’s assets will involve transferring assets which include personal data (e.g. Customer databases), personal data may accompany the sold assets once the transaction has completed:

  • Where the data continues to be processed for the same (continuing) purpose, and
  • This prospect is envisaged in the service terms and conditions for the customer to allow for the GDPR ‘fair processing’ requirement.
  • Opt-in consent is required from data subjects for a change of purpose (May not be practical to obtain in the timeframe). 

Tom Murray

Tom Murray

Friel Stafford Chartered Accountants, Dublin, Ireland
T: +353 1 661 4066, F: +353 1 661 4145
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W:

Friel Stafford is Ireland’s leading independent corporate restructuring and personal insolvency practice.

Tom Murray is a Partner in the firm and former past President of the Association of Certified Accountants in Ireland. He specialises in Restructuring & Insolvency, Corporate Finance and Forensic Accounting.

Published: Autumn 2018 l Photo: ©mooshny -

GGI Logo 70x50px

GGI Geneva Group
International AG

Schaffhauserstrasse 550
P.O. Box 286
8052 Zurich


T: +41 44 2561818
F: +41 44 2561811
This email address is being protected from spambots. You need JavaScript enabled to view it.