As the GDPR's implementation fades further from the rear view mirror, factoring data protection into a range of business activities, including in M&A, is the new normal. The increased obligations introduced by the GDPR and the inevitable sharing of personal data in M&A transactions mean that those involved in M&A must understand the implications for each phase of the M&A process.
This three part mini-series will explore how businesses should look at M&A transactions through the lens of GDPR compliance, and the steps which should be taken to ensure that, across all aspects of a transaction, due consideration is given to data protection.
While this mini-series will consider the issues primarily from the context of M&A transactions, there is significant crossover with other types of transaction which also include a due diligence and data room element (such as loan portfolio sales, securitisations and repackaging transactions).
Divesting? Take care around pre-completion disclosures of personal data…
The first step of any M&A transaction will usually be due diligence of a target company (the "Target"). Along with the disclosure of contracts, financial documentation and other information required for a potential acquirer to conduct due diligence, there will almost always be a corresponding disclosure of personal data of wide range of individuals connected with the business (such as employees, customers, suppliers, creditors or borrowers).
For the vendor, as a controller of such personal data, it is critical that this disclosure is lawful and in accordance with the GDPR's data protection principles:
.svg?rev=67f86e5dc2cd436f84bdd003d9b7d6c7&sc_lang=en&hash=D45EF1B088138909626750A2805EE031)
In practical terms, the principles require that the vendor ask itself the following questions:
| Question | Analysis |
|---|---|
| What personal data is being disclosed and why? |
The vendor must ensure that personal data disclosures are relevant and limited to what is necessary (data minimisation principle). In practice, analysing and cleansing the personal data through a process of removal, redaction and anonymization of personal data that is not necessary for the purpose, will likely be required to satisfy the minimisation principle. For example, it may be necessary to disclose the employment contracts of senior management, but not of business support staff. In addition, vendor's may consider limiting disclosure of personal data to early bidder pools and phasing access. |
| What is the lawful basis for disclosure, and how can it be demonstrated to a regulator that it has been considered? |
The vendor must disclose personal data lawfully (lawfulness principle). A vendor must satisfy itself that the proposed disclosure falls within one of the lawful basis set out under Article 6 of the GDPR. In most cases, the disclosure in M&A transactions will be lawful as it is necessary for the purposes of the "legitimate interests" pursued by the vendor (i.e. the sale of the business), however where this legitimate interest is overridden by the interests or fundamental rights and freedoms of the individual the disclosure will not be lawful. In practice, where disclosing on the basis of legitimate interests, a vendor will be required to carry out a documented "legitimate interest assessment" (or "LIA"). An LIA is a formal internal document of the assessment carried out to ensure the legitimate interests basis is properly fulfilled, and can be used to demonstrate compliance to a regulator if required. |
| What do I need to do to protect the personal data which is disclosed? |
The vendor must use appropriate technical and organisational measures to ensure personal data is disclosed securely (integrity and confidentiality principle). In practice, a vendor should:
|
| Are the affected individuals aware that we are disclosing their personal data? |
The vendor must disclose personal data fairly and in a transparent manner (fairness and transparency principle). For obvious reasons, in the context of a confidential M&A transaction a stand-alone notification to data subjects of the proposed disclosure of their personal data may be undesirable if not impossible. In practice, an explanation in the vendor's privacy notice that personal data may be disclosed in the context of the sale of all or part of the vendor's business should be sufficient notification to any affected individuals. The vendor must therefore satisfy itself that its existing notices include notifications which cover the proposed disclosure and that such notices have been communicated to the affected individuals in accordance with the GDPR. You can future proof your position now by assessing your current privacy statement in advance of any future M&A opportunity. |
Acquiring? Make sure the Target' approach to data protection is properly assessed…
In light of the stricter sanctions regime under the GDPR and the cost associated with implementing compliant processes, getting a clear view of how the Target approaches its data protection obligations at an early stage of the transaction is critical. This will help you understand the overall risk you are acquiring and more accurately value the Target.
Full analysis of the Target's internal IT systems and data protection processes is key to achieving this. A buyer should consider how the Target is able to demonstrate compliance with each of the data protection principles set out above, and assess whether the Target has:
- Established GDPR compliant policies, procedures, and records in order to comply with its accountability requirements?
- Communicated appropriate fair processing notices in order to comply with its transparency requirements?
- Updated all of its contracts with service providers which process personal data on its behalf to comply with the specific requirements under Article 28 of the GDPR?
- Transferred any personal data outside of the EEA and has it done so lawfully and subject to appropriate safeguards?
- Trained its staff appropriately in data protection?
- Any instances of historic non-compliance or existing data protection liabilities which may be inherited on completion?
- A proactive approach to data protection governance? (for example, appointment of a data protection officer or other person responsible for data protection in the organisation)
Unfavourable responses to any of the above questions should act as a red-flag. Ultimately bearing the reputational risk and cost of compliance remediation will fall on the buyer of a Target which has failed to bring its practices in line with the GDPR.
An ounce of prevention is worth a pound of cure
Accounting for data protection obligations as early as possible in the transaction is favourable for both buyer and seller, and a full understanding of the practical requirements and implications of the GDPR is essential for both parties to conduct themselves lawfully.
In the next part of this mini-series, we will consider the roles of various parties to the transaction and the data protection obligations each of them must fulfil.
Byte-sized news
Data Protection Sandbox. The ICO has opened a call for evidence for views on creating a regulatory sandbox. Following in the footsteps of the FCA, the ICO proposes to host a "safe space where organisations are supported to develop innovative products and services which use personal data in innovative ways." The sandbox approach has worked well for the FCA in both understanding emerging technologies and applications in the industry and shows the ICO's keenness to prevent data protection from becoming a barrier to innovation. The call for evidence is open until the 12th of October.
No-deal Brexit – the pendulum is still swinging. The Department for Digital, Culture, Media & Sport issued its technical note on the impact on companies' data protection practices in the event of a "no-deal" Brexit in March of 2019, in which it remains optimistic of a possibility that the EU Commission will make an adequacy decision in time for March 2019.This is looking increasingly ambitious and falls in sharp relief against the Commission's own advice in July, which intimated that the UK will be a third country under GDPR on exit.While the Government's guidance on what steps may be needed to keep the data flowing in the event of a no deal exit is helpful, ultimately, UK data controllers need certainty as a matter of urgency. In addition, EEA companies exporting data to the UK will be looking to their own regulators for guidance, rather than the view of the ICO.
Transparency and trust. On the 6th September the ICO issued results of is trust and accountability survey, showing that trust in how companies handle personal data still needs improvement. Commenting on the result, Elizabeth Denham, the Information Commissioner said: "there is still a long way to go and organisations need to realise that, unless they are trusted to properly look after people’s personal data, they will fail to realise its potential benefits to their business or the wider economy”.
Privacy Shield Ultimatum – now what. The EU Parliament issued a non-binding resolution pursuant to which the EU Commission was to suspend the EU-US Privacy Shield by 1st September 2018 unless the US Government complied with its terms. It's now almost two weeks after the ultimatum date and there has been no reported action from either side of the pond. This uncertainty will have many companies on tender hooks as, if the privacy shield is declared invalid, quick reactions will be required to implement another data transfer mechanism. Whilst the binding corporate rules are an investment and may not be practicable for all companies, they are fast looking to be the most reliable transfer mechanisms available, with both standard model clauses and the privacy shield under review.
With special thanks to Will Barrow for his contribution.
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
