A data protection checklist for mergers and acquisitions is a useful tool to help both parties understand what documents should be included to demonstrate compliance with data protection laws.
Sellers should have comprehensive documentation of all data protection processes and policies. This will give a clear picture to the buyer, which boosts confidence and allows for a smooth due diligence processA series of actions or steps taken in order to achieve a particular end..
Buyers should thoroughly evaluate the seller’s data protection practices and assess the associated risks and liabilities. A systematic review of documentation can clarify any issues, inform decision-making, and aid the integration of data processing after the acquisition.
In this blog, we cover the importance of data protection compliance for M&A transactions and provide a checklist of some of the core documentation that should be up-to-date and in order. The checklist references GDPR compliance, relevant for organisations processing the data of EU and/or UK individuals, but for organisations in other jurisdictions, local data protection legislation will apply.
But before we dive in, let’s look at how data protection can affect deals and some of the key lessons learned from the renowned Marriott’s Starwood hotels acquisition.
A 2019 study of over 500 M&A practitioners across Europe, Middle East, and Africa (EMEA) by Euromoney Thought Leadership Consulting revealed that the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) had a significant impact on the M&A process for many organisations.
55% of M&A practitioners surveyed confirmed that they had experienced unsuccessful negotiations due to concerns about the target company’s data protection and GDPR compliance. The study broke this down into different regions:
Whether you are selling or acquiring, a thorough data protection audit is essential. It not only mitigates risks but ensures both the acquiring and the target companies adhere to legal obligations.
In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide, creating the world’s largest hotel chain. As Starwood Hotels continued as a going concern, Marriot International acquired all ongoing liabilities that Starwood may have incurred.
The merger was successful, but shortly after the acquisition, Marriott discovered a massive data breach in the Starwood reservation system.
The breach severely impacted Marriott’s reputation and resulted in significant financial losses.
The breach exposed sensitive information of approximately 500 million guests, including names, addresses, passport numbers and payment card details.
An important aspect to note is the breach had been ongoing for years before detection, highlighting a significant oversight in the due diligence process of the M&A transaction.
The Marriott-Starwood merger took place before the enforcement of the General Data Protection Regulation (GDPR). However, it is used as an example of what can happen if mergers proceed without a thorough assessment of a target company’s data security practices.
Marriott should have undertaken a comprehensive audit of Starwood’s systems, data handling procedures and cybersecurity measures.
Now, with the evolution of data protection legislation the parties involved in M&A transactions must consider data protection regulations and ensure compliance across all personal dataInformation which relates to an identified or identifiable natural person. processing operations.
A data room, also known as a virtual data room (VDR) when provided in an online format, is a secure place for storing documents during business processes such as mergers and acquisitions, due diligence, fundraising, IPOs, audits and legal proceedings.
A data room or VDR is a required element of an acquisition process. Both the buyer and seller have requirements for the due diligence process and a data room allows the buyer to review data and documents without needing to access live systems.
Sellers must ensure a VDR is organised and secure. A well-managed data room with organised documents increases buyer confidence and streamlines the M&A process. The VDR is also a repository for large volumes of sensitive and potentially highly valuable information. Therefore, it is crucial to check the security and data protection practices of the VDR vendor.
It is also important to limit the amount of personal data shared, where possible. Consider what must be shared as part of the disclosure process. Essential documents may require redaction or other remediations to safeguard sensitive information.
Buyers must complete a thorough due diligence and go through everything in the VDR to ensure the purchase is well-founded and aligns with strategic objectives. Essentially, buyers need to know if they are making a sound investment.
Any ongoing data protection risks must be included in the agreement. Strategies may include fundamental representations, special indemnities, escrows, and limiting disclosures.
When compiling data protection documentation for a data room, it is important to highlight that these records should already be part of ongoing data protection compliance maintenance.
Documentation should reflect an ongoing commitment to data protection best practices and not just produced for the sake of the merger or acquisition.
Ultimately, the goal is to establish a solid foundation for data protection governance that extends beyond the transaction. This will safeguard the interests of both parties and ensure the privacy rights of the individuals whose data is being processed.
The DPO Centre provides a wide range of outsourced data protection services, including Data Protection Officers (DPOs), EU and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. Representatives.
Our experienced DPOs work with organisations across the span of industry sectors to assist buyers and sellers with M&A processes and to implement best practices that ensure compliance with data protection laws.
For more news and insights about data protection follow The DPO Centre on LinkedIn
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
Fill in your details below and we’ll get back to you as soon as possible