Data and M&A: monetising the "new oil"

Data, data, everywhere, nor any bytes to monetise…

In today's borderless digital economy, data is the "new oil" – a valuable asset that can be monetised, bought and sold, merged and shared. Responding to evolving consumer behaviour and preferences has become essential to businesses that are being asked to provide tailored products and services on demand, and at a lower cost. We are seeing increasing transactions involving buyers that are keen to exploit data. These include acquisitions of data-driven companies, of the data itself and of infrastructure through which data is processed, stored and/or transmitted. We have also seen a rise in strategic transactions, such as co-investments and joint ventures, which enable businesses to collaborate and benefit from a larger pool of data, without having to change the nature of their business or grapple with the integration a new data-driven subsidiary.

Issues in transactions 

Dealing with data in a M&A context might typically involve reviewing policies and procedures, asking questions about past breaches and compliance with data protection laws, and requesting warranties based on the information gleaned from that process. Time and other pressures often mean that data issues are not scrutinised as closely as they should be. However, for data-driven transactions, a comprehensive and holistic approach is essential. Specialists should be involved from the start to assess the following issues:

• Regulatory compliance: this could include tax, antitrust, intellectual property, employment and sector-specific laws, alongside compliance with data protection and, in particular, the forthcoming General Data Protection Regulation (GDPR).
• Data strategy: does the target have one, and how is it implemented? Crucially, what data does the target have, how is it used, what rights it has to use the data and what obligations does it have in respect of data?
• Due diligence: the integrity of data and data infrastructure is paramount. Cyber auditors and forensic data scientists can conduct technical reviews and identify risks and remediation steps.
• Documentary review: this should go beyond data policies and procedures to include relevant commercial and employee contracts. It is essential to understand who has what rights, and what types of behaviour may give rise to risk. 
• Business plan: the costs of technology investment and compliance should be analysed and factored into the price.
• Continuity: post-completion agreements for transitional services arrangements and separation matters may be necessary to ensure business continuity and facilitate integration. These can be very complex and stakeholders must engage on them properly and early on in the process.

Doing your homework pays dividends

Entry into new markets or segments and capitalising on synergies through e.g. merging data sets may not be possible if the target does not have full exploitation rights to the data, and thorough diligence is therefore vital. Ultimately, M&A is largely about deriving value while minimising risk. Buyers who understand how to meet the challenges of harnessing that value will be better placed to deliver successful M&A transactions and achieve tangible results.

Byte-sized news

• Charges for data controllers. The UK Government has published the draft Data Protection (Charges Information) Regulations 2018. The regulations set out when data controllers will be required to provide details of their processing to the Information Commissioner's Office (ICO) and pay a notification fee, unless the processing is exempt. The new three-tiered structure will see large data controllers charged £2,900 a year to notify their processing activities unless they are charities. The regulations will come into force on 25 May 2018 in line with the GDPR. The ICO has published a guide to the draft regulations.
• Guidelines for certification bodies. The EU's Article 29 Working Party (WP29) has published a consultation on guidelines for accreditation of certification bodies under the GDPR. WP29 aims to provide guidance on implementation of Article 43 of the GDPR, which endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance. The guidance seeks to establish a consistent, harmonised baseline for the accreditation of certification bodies. The deadline for comment is 30 March 2018.
• Insurance gets a steer from LMA on GDPR notice requirements. The Lloyd's Market Association (LMA) has issued a GDPR Core Uses Information Notice to assist the insurance industry and market players in understanding how they can meet the requirements under the GDPR to notify their processing activities to consumers. The LMA  guidance proposes a three layer, cascade approach to notices, splitting out policy wording and consumer agreements (Layer 1), a specific market participant’s long form information notice (Layer 2), and  the LMA-drafted "Core Information Notice" (Layer 3). The LMA notes that in order for the proposed "cascade" notification to work it would require consensus between market participants. The guidance will be updated when the UK Data Protection Bill is enacted.

With special thanks to Gita Shivarattan and Erin Abraham for their contribution.