Personal data is one of a company’s most valuable assets. Understanding and realising its value is an important factor in buying and selling a business. When assisting clients involved in mergers and acquisitions, The DPO Centre’s experience shows that data protection considerations boil down to four basic questions, namely:
Through the insight gained from the comprehensive toolkit The DPO Centre has developed to answer these questions, this blog will look we look at some of the underlying data protection considerations and the thinking behind them.
Does the seller have the right to transfer the personal data?
Before the GDPR, the underlying assumption of most businesses was that they owned and were free to profit from the personal data they held, whether the data be that of their customers, employees, suppliers, stakeholders or data held in their marketing databases. The GDPR has significantly adapted this perception, so now there is a greater understanding that personal data remains the property of the data subject and cannot be transferred indiscriminately.
So, are there circumstances where sellers cannot lawfully transfer personal data onto the purchaser? Some of the key things to consider include:
Do buyers have the right to use the data?
Assuming the seller has the right to transfer the personal data to the new owner, then it’s important for buyers to ensure they have the right to use the data and to understand whether there are any restrictions on its use. If you are the new business owner, think about the following before using any personal data that you have acquired:
Understanding potential liabilities
If the new owner is taking on the seller’s liabilities, it’s important to understand what they are. Obtaining a thorough understanding of the seller’s level of compliance up until a transfer of ownership typically involves a thorough audit covering a wide range of areas. Some of the key areas that an audit should understand include:
A comprehensive and structured audit process will uncover this information. In a trade and asset sale where liabilities can remain with the seller, it is important for the seller to understand the state of compliance and their own potential liabilities at completion. In a share sale, purchasers should look to the seller to provide warranties and indemnities in respect of data protection compliance.
Ultimately evaluating the value of any potential liabilities is a commercial question, but in order to make a reasoned assessment, it’s important to understand the extent of the seller’s compliance and any outstanding issues in a rigorous and structured manner.
Data Protection considerations for the transaction process
Ensuring the appropriate security, rights and permissions are in place throughout the acquisition process is the final key consideration. The extent to which personal data is shared and audited by buyers, sellers and their advisors typically increases through initial enquiry, populating the data room, due diligence, exchange, completion and post completion. It’s important to check that:
Data Protection is now a key consideration for mergers and acquisitions
Many companies and particularly those in emerging sectors such as ECommerce, AdTech, FinTech, the Internet of Things (IoT), AI and Life Sciences derive significant value from the personal data they process and the way they process it. There is much M&A activity and valuations are often eye-wateringly high. However, because of the data volumes and the technical complexity of processing it, the level of data protection compliance is often low. The Information Commissioner’s Office (ICO) is already paying special attention to how sectors such as Real Time Bidding (RTB) work (see our recent blog on about data protection in the AdTech industry).
The potential liabilities for getting it wrong are large but the increase in company value for getting it right is considerable. Traditionally data protection has not been high on the list of key considerations for M&A, however this is changing rapidly. It’s never been more important to ask yourself these four key data protection questions when buying and selling a business.
A comprehensive and structured approach to how you answer them is vital to realising value whether it’s as a buyer or seller.
Contact the DPO Centre if you need any help in auditing your data protection compliance or if you need assistance in putting a structured data protection framework in place.
Are you looking for more guidance? Enquire below
Fill in your details below and we’ll get back to you as soon as possible