22/08/19

M&A and GDPR – possible pitfalls when buying a business (part 2)

Following on from our first article on M&A and data protection focusing on the seller's perspective (available here), this second article on M&A and data protection will explore how the buyer of a target company (the "Target") should look at M&A transactions through the lens of GDPR compliance and the questions that should be asked to ensure that the Target has given proper consideration to data protection.

Acquiring? Make sure the Target's approach to data protection is properly assessed

In light of the stricter sanctions regime under the GDPR and the cost associated with implementing compliant processes, getting a clear view of how the Target approaches its data protection obligations at an early stage of the transaction is critical. This will help you understand the overall risk you are acquiring and more accurately value the Target.

Full analysis of the Target's internal IT systems and data protection processes is key to achieving this. A buyer should consider how the Target is able to demonstrate compliance with each of the GDPR's data protection principles.

Moreover, as part of its due diligence, the buyer shall assess whether the Target has:

  1. Established GDPR compliant policies, procedures and records in order to comply with its accountability requirements?
  2. Communicated appropriate fair processing notices in order to comply with its transparency requirements?
  3. Updated all of its contracts with service providers which process personal data on its behalf to comply with the specific requirements under Article 28 of the GDPR (e.g. the contract shall include the terms of the processing, commitments relating to data security, restrictions around subprocessing of personal data and erasure / return of personal data when it is no longer required).
  4. Transferred any personal data outside of the EEA and has it done so lawfully and subject to appropriate safeguards?
  5. Trained its staff appropriately in data protection?
  6. Any instances of historic non-compliance or existing data protection liabilities which may be inherited on completion?
  7. A proactive approach to data protection governance? (for example, appointment of a data protection officer or other person responsible for data protection in the organisation)

Unfavourable responses to any of the above questions should act as a red flag. Ultimately, bearing the reputational risk and cost of compliance remediation will fall on the buyer of a Target which has failed to bring its practices in line with the GDPR.

An ounce of prevention is worth a pound of cure

Accounting for data protection obligations as early as possible in the transaction is favourable for both buyer and seller and a full understanding of the practical requirements and implications of the GDPR is essential for both parties to conduct themselves lawfully.

dotted_texture