Buying or selling a business? Four data protection questions to ask in M&A activity

Personal dataInformation which relates to an identified or identifiable natural person. is one of a company’s most valuable assets. Understanding and realising its value is an important factor in buying and selling a business. When assisting clients involved in mergers and acquisitions, The DPO Centre’s experience shows that data protection considerations boil down to four basic questions, namely:

1. 1. Does the seller have the right to transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. personal data?
   2. Can the purchaser use the data lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. after the sale?
   3. Are potential data protection liabilitiesPenalties and fines that can be levied by the supervisory authority against data controllers or processors and the right of data subjects to seek judicial remedies for the misuse of their data. understood?
   4. Have data protection considerations been sufficiently built into the transaction processA series of actions or steps taken in order to achieve a particular end.?

Through the insight gained from the comprehensive toolkit The DPO Centre has developed to answer these questions, this blog will look we look at some of the underlying data protection considerations and the thinking behind them.

Does the seller have the right to transfer the personal data?

Before the GDPR, the underlying assumption of most businesses was that they owned and were free to profit from the personal data they held, whether the data be that of their customers, employees, suppliers, stakeholders or data held in their marketing databases. The GDPR has significantly adapted this perception, so now there is a greater understanding that personal data remains the property of the data subjectAn individual who can be identified or is identifiable from data. and cannot be transferred indiscriminately.

So, are there circumstances where sellers cannot lawfully transfer personal data onto the purchaser?  Some of the key things to consider include:

• • Do the sellers’ privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). allow for the sale of the business and a change of ownership?
  • If data subjects have provided their consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. (including explicit and parental consentWhere consent is sought from a parent or legal guardian of a child, when that child does not have sufficient competency to understand their rights (because their consent cannot be validated as it is not ‘informed’), except in cases where it is against the best interests of the child to seek such consent. for children), then can this consent be lawfully transferred to the purchaser?
  • If the seller is processing data on behalf of a third party, then do data sharing agreements allow for a change of ownership or control?

Particularly in a trade and assets, rather than a share sale, don’t forget that the new owner’s privacy policy may no longer be applicable. Also remember that consent may not be transferable in the event of a change of ownership unless this eventuality was seen and stated when consent was given and is reflected in the privacy policy that was in force at the time the consent was provided.

Do buyers have the right to use the data?

Assuming the seller has the right to transfer the personal data to the new owner, then it’s important for buyers to ensure they have the right to use the data and to understand whether there are any restrictions on its use.  If you are the new business owner, think about the following before using any personal data that you have acquired:

• • Will you use data for the same purpose as it was used for by the previous owner? If there is a change of purpose, it’s important to ensure there is still an appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for processing
  • If consent is being used as a lawful basis then new owners should ensure that the consent is transferable. If not, it may be necessary to renew consent from data subjects before continued processing. Having a clear unambiguous record of how consent was originally given, and on what basis, is key. If there will be restrictions on new business owners contacting data subjects after the transfer, the ability to renew consent should be discussed with the current owner at the early stages of transaction
  • Where will the data be stored and processed after the purchase? If personal data is to be stored outside the EU, then it should be held in a country considered adequate by the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law.. If not, another lawful transfer mechanismIn the absence of an adequacy decision, safeguards ensuring that individuals rights and freedoms for their personal data are protected as part of a transfer. will need to be put in place e.g. Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries., Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. etc
  • Who will the data be shared with? It’s important to ensure the new owner has appropriate data sharing agreements in place and, if relying on the business vendor’s original data sharing agreements, that these agreements can be legally re-assigned if necessary

Understanding potential liabilities

If the new owner is taking on the seller’s liabilities, it’s important to understand what they are. Obtaining a thorough understanding of the seller’s level of compliance up until a transfer of ownership typically involves a thorough audit covering a wide range of areas. Some of the key areas that an audit should understand include:

• • Has all personal data been catalogued and mapped accurately and comprehensively?
  • Are their Records of Processing Activities complete and up to date?
  • Have robust DPIAs been completed for high risk data sets?
  • If Legitimate Interest is being used as a lawful basis, have Legitimate Interest Assessments (LIA) been done?
  • Has the data been obtained fairly and lawfully, with transparent privacy and consent notices?
  • Have comprehensive consent recordsIn data protection terminology, consent refers to any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed (see Article 4 sub 11 of Regulation (EU) 2016/679 and Article 3 sub 15 of Regulation (EU) 2018/1725). been maintained?
  • Who has the data been shared with and have other processors handled it appropriately?
  • Have there been any breaches?
  • Are there any outstanding responses to individuals’ rights requests (such as DSARs)?
  • Are there any outstanding or potential claims/investigations with respect to data protection?

A comprehensive and structured audit process will uncover this information.  In a trade and asset sale where liabilities can remain with the seller, it is important for the seller to understand the state of compliance and their own potential liabilities at completion. In a share sale, purchasers should look to the seller to provide warranties and indemnities in respect of data protection compliance.

Ultimately evaluating the value of any potential liabilities is a commercial question, but in order to make a reasoned assessment, it’s important to understand the extent of the seller’s compliance and any outstanding issues in a rigorous and structured manner.

Data Protection considerations for the transaction process

Ensuring the appropriate security, rights and permissions are in place throughout the acquisition process is the final key consideration. The extent to which personal data is shared and audited by buyers, sellers and their advisors typically increases through initial enquiry, populating the data room, due diligence, exchange, completion and post completion. It’s important to check that:

• • Non-disclosure agreements include sufficiently robust data protection clauses
  • Data sharing agreements between buyers, sellers and their agents are put in place as necessary
  • Special attention is paid to setting up the data room. Ensuring that it is sufficiently secure and consider where it is hosted, particularly if data is to be stored outside the EU. Make sure that it is only populated with necessary data and only accessed by authorised individuals
  • Privacy policies are updated to state data may be shared for the M&A process
  • Data protection provisions which continue to protect both parties are written into the sale and purchase agreement
  • The Record of Processing Activities (RoPA) is kept updated throughout the transaction process recognising that personal data is being processed to support M&A activity
  • Access restrictions to the data room, whereby personal data cannot be downloaded or removed
  • All data, including that in the data room, is retained only for as long as required to evaluate and conduct the transaction and access is revoked as soon as the process is completed.

Data Protection is now a key consideration for mergers and acquisitions

Many companies and particularly those in emerging sectors such as ECommerceThe buying or selling of products or services online., AdTechAdvertising Technology: The use of digital tools and analytics for the delivery of advertising., FinTechThe development and use of software and technologies to provide automation and deliver improvements to the financial services industry., the Internet of ThingsThe concept of connecting everyday devices to the internet and to each other for the purposes of collecting, receiving and sending data about their use. (IoT), AI and Life Sciences derive significant value from the personal data they process and the way they process it.  There is much M&A activity and valuations are often eye-wateringly high.  However, because of the data volumes and the technical complexity of processing it, the level of data protection compliance is often low.  The Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) is already paying special attention to how sectors such as Real Time Bidding (RTB) work (see our recent blog on about data protection in the AdTech industry).

The potential liabilities for getting it wrong are large but the increase in company value for getting it right is considerable. Traditionally data protection has not been high on the list of key considerations for M&A, however this is changing rapidly. It’s never been more important to ask yourself these four key data protection questions when buying and selling a business.

A comprehensive and structured approach to how you answer them is vital to realising value whether it’s as a buyer or seller.

Contact the DPO Centre if you need any help in auditing your data protection compliance or if you need assistance in putting a structured data protection framework in place.