What data protection issues should I consider before doing M&A?
Why is it important?
The significant fines that can be incurred under the General Data Protection Regulation (2016/679/EU) (GDPR) has brought data protection high on the list of considerations before undertaking M&A activity, whether as a seller or buyer.
Non-compliance can incur fines as large as €20 million or 4% of the previous year’s global turnover, whichever is greater. Other sanctions can also be imposed which can inhibit personal data processing. Adverse publicity may also arise from non-compliance.
Personal data transfer will arise during the transaction, particularly data relating to the target company’s staff and customers, although much will depend on the nature of the business.
A controller is anyone or any organisation that decides the means of processing personal data and the purposes of such processing.
A data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
Personal data is any information relating to an identified or identifiable data subject.
Processing is anything that is done with personal data, such as collection, use, storage, dissemination and destruction.
I’m selling, what should I do?
Check that the target company has complied with data protection laws (as well as any other relevant legislation) since It’s likely the sellers will be required to warrant such compliance in the sale and purchase agreement. If there are any areas of non-compliance, fix those before selling as far as possible and be prepared to disclose the non-compliances in the disclosure process as part of the sale transaction.
Check that any necessary registration with the Information Commissioner’s Office (ICO) is up to date and all fees paid.
To avoid notifications in respect of disclosure to potential buyers, ensure all data disclosed to potential buyers in the due diligence process is anonymised and that suitable non-disclosure agreements are in place.
Consider how to safeguard the information, such as using a secure data room. If using a data room, ensure that access to the data room is controlled and supervised. Ensure you know who has access to it. Consider whether to limit downloads and printing from the data room.
For transfers of personal data outside the EEA, whether the host country has an adequate level of protection, adequate safeguards are in place or a derogation applies.
After completing the sale, ensure compliance is maintained. If the sale was carried out by an auction process, contact the unsuccessful buyers to ensure any personal data received by them during the due diligence process is returned or destroyed. Check whether the sale has any impact on the seller’s own compliance or registration. Ensure data that is no longer needed is passed on to the buyer or destroyed.
I’m buying, what shall I do?
Consider what data is needed to carry on the business of the target following the acquisition. Are you intending to use the data in a different way to that of the seller? How significant is data to the target company/business?
Check your due diligence process includes questions relating to compliance (including payments of fees), the seller’s approach to compliance, enquiries, notices or claims relating to data protection, details of data subject access requests that are outstanding, data protection policies, details of fair processing notices given to staff, sources of personal data and how it is stored and used, and copies of any agreements relating to data protection.
Ensure you only receive anonymised personal data that you really need at the appropriate time. Ringfence the information from other general company information, so that the data can be returned or destroyed easily if the acquisition does not go ahead. Ensure your employees receiving or analysing the target’s data are aware of confidentiality and do not share the information beyond the deal team.
After completing the acquisition, audit the target company in respect of compliance and take all steps to make the target company compliant, if it was not before. Check whether your own registration needs updating to reflect the enlarged group. Destroy any information received from the seller that is not needed, such as any relating to staff that have long since left.
Data processing agreements of the target company should be checked. They may need to be novated to the buyer entity or terminated if they duplicate the buyer’s existing arrangements.