M&A and GDPR – possible pitfalls when buying a business (part 2)
22/08/2019

Following on from our first article on M&A and data protection focusing on the seller's perspective (available here), this second article on M&A and data protection will explore how the buyer of a target company (the "Target") should look at M&A transactions through the lens of GDPR compliance and the questions that should be asked to ensure that the Target has given proper consideration to data protection.

Acquiring? Make sure the Target's approach to data protection is properly assessed

In light of the stricter sanctions regime under the GDPR and the cost associated with implementing compliant processes, getting a clear view of how the Target approaches its data protection obligations at an early stage of the transaction is critical. This will help you understand the overall risk you are acquiring and more accurately value the Target.

Full analysis of the Target's internal IT systems and data protection processes is key to achieving this. A buyer should consider how the Target is able to demonstrate compliance with each of the GDPR's data protection principles.

Moreover, as part of its due diligence, the buyer shall assess whether the Target has:

  1. Established GDPR compliant policies, procedures and records in order to comply with its accountability requirements?
  2. Communicated appropriate fair processing notices in order to comply with its transparency requirements?
  3. Updated all of its contracts with service providers which process personal data on its behalf to comply with the specific requirements under Article 28 of the GDPR (e.g. the contract shall include the terms of the processing, commitments relating to data security, restrictions around subprocessing of personal data and erasure / return of personal data when it is no longer required).
  4. Transferred any personal data outside of the EEA and has it done so lawfully and subject to appropriate safeguards?
  5. Trained its staff appropriately in data protection?
  6. Any instances of historic non-compliance or existing data protection liabilities which may be inherited on completion?
  7. A proactive approach to data protection governance? (for example, appointment of a data protection officer or other person responsible for data protection in the organisation)

Unfavourable responses to any of the above questions should act as a red flag. Ultimately, bearing the reputational risk and cost of compliance remediation will fall on the buyer of a Target which has failed to bring its practices in line with the GDPR.

An ounce of prevention is worth a pound of cure

Accounting for data protection obligations as early as possible in the transaction is favourable for both buyer and seller and a full understanding of the practical requirements and implications of the GDPR is essential for both parties to conduct themselves lawfully.

Voir aussi : Ashurst LLP ( Mr. Clément Dekemexhe ,  Mr. Jörg Heirman ,  Mr. David Du Pont )

Mr. Clément Dekemexhe Mr. Clément Dekemexhe
Associate
[email protected]
Mr. Jörg Heirman Mr. Jörg Heirman
Senior Associate
[email protected]
Mr. David Du Pont Mr. David Du Pont
Partner
[email protected]

Click here to see the ad(s)

Derniers articles de Mr. Clément Dekemexhe

European Parliament Proposal for a future-oriented civil liability framework
02/11/2020

A new step on the path of AI-related regulation has recently been initiated. On 20 October 2020, the European Parliament (...

Read more

Artificial Intelligence and product liability – on a path to a new regulation?
24/08/2020

AI brings a myriad of opportunities to solve complex problems and improve productivity across all sectors of the economy. ...

Read more

EU White Paper on Artificial Intelligence – getting ready for the future (Part 2)
12/03/2020

Following up on our first article on the EU White Paper on Artificial Intelligence (available here), this second article w...

Read more

EU White Paper on Artificial Intelligence – getting ready for the future
24/02/2020

There has been quite some upheaval the last few weeks in the legal digital micro-space after a draft of the White Paper on...

Read more

Derniers articles de Mr. Jörg Heirman

European Parliament Proposal for a future-oriented civil liability framework
02/11/2020

A new step on the path of AI-related regulation has recently been initiated. On 20 October 2020, the European Parliament (...

Read more

Artificial Intelligence and product liability – on a path to a new regulation?
24/08/2020

AI brings a myriad of opportunities to solve complex problems and improve productivity across all sectors of the economy. ...

Read more

EU White Paper on Artificial Intelligence – getting ready for the future (Part 2)
12/03/2020

Following up on our first article on the EU White Paper on Artificial Intelligence (available here), this second article w...

Read more

EU White Paper on Artificial Intelligence – getting ready for the future
24/02/2020

There has been quite some upheaval the last few weeks in the legal digital micro-space after a draft of the White Paper on...

Read more

Derniers articles de Mr. David Du Pont

M&A and GDPR – possible pitfalls when selling a business
16/07/2019

As the GDPR's implementation fades further from the rear view mirror, factoring data protection into a range of busine...

Read more

LexGO Network