For our third and final article in the "Behind the Corporate Veil: Privacy in M&A" series, we look at the top three common queries we have received from clients in relation to data protection compliance in connection with their M&A transaction process.
1. Do we need to redact personal data from documents before they are uploaded to the data room?
One of the core principles of the GDPR and Data Protection Act 2018 is that personal data must only be processed if it is lawful - i.e. you must satisfy one of the conditions set out in Article 6 of the GDPR. The most commonly relied on condition for disclosure in corporate transactions is that the disclosure is necessary for the legitimate interest of the seller and/or the third party potential bidder to receive the personal data as part of the sale process, and that these interests outweigh any potential prejudice to the individual of having his/her information disclosed.
Importantly, personal data should be redacted or documents anonymised where personal data is not necessary for this purpose. That is where the personal data is not relevant to a bidder's understanding the target's organisation or business or otherwise not needed to enable the bidder to value the target. For example, bidders will not typically need to see personal data relating to every employee in the target's organisation. It is more likely to be necessary for the seller to disclose certain personal data relating to senior management and/or the board of directors, so the leadership team can be appropriately assessed. Accordingly, rather than uploading signed employee contracts, the seller should consider uploading a template contract.
Separately, the seller may consider a phased approach for disclosing personal data where required; initially uploading high-level truly anonymised information and holding back personal data until later in the sale process (for instance when a single, preferred bidder has been selected).
2. What (if anything) do we need in place with other parties to the transaction?
Non-disclosure agreements (NDAs) with bidders should take into account data protection and include relevant provisions which address the sharing of personal data. The scope of the NDA and its controls around use of the "confidential information" should also apply to personal data that is disclosed.
Contracts with virtual data room (VDR) providers will also need to include data processing clauses to reflect the requirements under Article 28 of the GDPR. The clauses will need to set out the prescribed terms, including commitments relating to data security, restrictions around subprocessing of personal data and erasure / return of personal data when it is no longer required.
In addition, if the potential buyer or VDR provider is located outside of the European Economic Area, the NDA should also incorporate appropriate safeguards to transfer personal data under Article 46. This is often met by incorporating the European standard contractual clauses in the NDA.
3. Do we need to document any information from an "accountability" perspective?
Under the new principle of accountability, sellers will need to keep records of the assessments setting out analysis on the bases for processing. Sellers may want to consider putting together a short form Privacy Impact Assessment for all transactions. The purpose of the Privacy Impact Assessment is to look at the data protection risks in relation to the processing activities, the technology used, the purpose of the processing, the third parties with access to the personal data and any mitigating factors to address risks identified.
In addition, where legitimate interest is assessed to be the most appropriate lawful basis for disclosure in relation to an M&A transaction, the seller will need to complete a legitimate interest assessment. The legitimate interest assessment is a balancing test of the legitimate interest pursued by the seller or third party (bidder) and the fundamental rights and freedoms of the data subjects involved.
Bite-sized news
- Guidance on Encryption. The ICO has issued guidance on encryption and passwords in online services to help companies with understanding when such technologies and technical measures should be applied. Article 32 of the GDPR identifies encryption as one example of appropriate technical security. The guidance highlights that such security solutions are widely available and relatively low costs, which seems to suggest that the ICO considers technical security measures should include data encryption as a minimum. Sending out signals that the ICO is going to take a stronger stance against ineffective security standards, the guidance implies if data is lost or destroyed and it was not encrypted, regulatory action may be pursued.
- UK Government signs modernised Convention 108. The UK government has become one of the first signatories to the Council of Europe's Convention 108 in a step to demonstrate its commitment to strong data protection standards. Convention 108 was originally adopted in 1981 and concerns the protections of individuals with regards to automatic processing of personal data, covering how data is obtained and lawfully processed and additional safeguards for the data subject. The modernised Convention also looks to strengthen international cooperation between supervisory authorities with a requirement that they co-ordinate their investigations, conduct joint actions where possible and share information.
- Investigatory Powers Act 2016 amended. The Data Retention and Acquisition Regulations 2018 (Regs) came into force on 1 November and aim to strike a balance between the rights of individuals and the need to ensure effective law enforcement in the interest of national security. The Regs amend key provisions of the Investigatory Powers Act 2016 (IPA) and Regulation of Investigatory Powers Act 2000. The IPA (as amended) legislates for the retention of communications data by postal providers and telecommunications providers and the acquisition of such data by public authorities.
With special thanks to Helena Brackenridge and Kishen Vora for their contribution.
