It's the Data...

Data, data everywhere. All types: personal and non-personal. They are all invaluable. Corporations produce them and receive them. So does the potential buyer in an M&A transaction. How does a buyer valorize the acquired data? By thoroughly conducting a data risk assessment and by strategically navigating the regulatory framework.


Many often forget that large chunks of data will lie dormant at a company in an unstructured form because they are simply not used. To use data to its advantage, a company will have to collect, process, and store data in a structured form. This implies having and using adequate networks, hardware platforms, IT applications, and data collection and processing tools. A potential buyer should determine whether these systems are in-house developments or acquired or licensed. The type of system will indeed affect the rights of the company and whoever will be buying the data.

A buyer will usually be able to spot untapped opportunities in data assets or believe that it can create additional value by running the data through its own data processing tools. But it cannot simply do so. A buyer’s rights to data assets can be restricted by privacy regulations, IP rights, contractual terms, confidentiality agreements, license agreements, competition law, and the list goes on.

The true value of data assets depends on many factors. The most important one is the correct handling of data throughout its lifecycle. Data assets must be collected, processed, stored, transferred, and used lawfully. Buyers must therefore conduct a thorough due diligence of the target’s data policies, IT infrastructure, and cyber security practices and protection mechanisms. This is a vital step. As a buyer will likely find data breaches, the more important question is determining how significant they are. Buyers can mitigate these risks to a certain extent through customary representations and warranties, indemnities, price adjustments, etc. But what they often forget is that any improper handling of data prevents its further use, which could potentially be the deal-breaker.

Many often perceive wrongly that significant risks could arise only in relation to acquired personal data. The GDPR principles of purpose limitation and transparency are notorious for shattering a buyer’s plans for the target’s personal data assets. But a buyer can run into choppy waters when it comes to the target’s rights to non-personal data assets.

Non-personal data assets certainly do not fall under the scope of the GDPR, but they could in fact be limited by licence agreements, confidentiality agreements or IP rights. Having regard to good data governance, corporates are increasingly imposing restrictions on their data recipients. The B2B contracts concluded between them often stipulate that data may only be used and disclosed to perform the contracted services and may not be used or disclosed for other purposes. Buyers see this as a risk that could affect the deal. To possibly mitigate these types of risks, buyers conduct a due diligence and renegotiate commercial contracts afterwards. If this is not possible, they can still make the necessary adjustments to transaction documents, data business plans, and their post-closing planning.

Unfortunately, the trickiest questions relating to a target’s data assets often come up only at halfway through the deal. Careful pre-deal planning is essential for managing costs, meeting deadlines, and achieving overall success for the deal. If the seller’s group did not carefully identify, extract, and migrate data assets from shared systems, this could cause significant delays and create extra costs. But even if data segregation and migration might not be necessary, buyers should be aware of the risks involved in integrating IT systems post-closing. For example, some systems are not compatible, meaning data assets cannot be merged or they require costly re-coding. And if IT systems need to be integrated, buyers should consider staff training and preparation as an important risk also, which should not be overlooked (see Strelia M&A Series June 2019).


Data analytics, machine learning and artificial intelligence. These are all hot topics nowadays. As regulators get to grips with these innovative processes, the regulatory framework is bound to change rapidly. On 25 November 2020, the EU Commission issued a Proposal for a Regulation on European data governance. In addition, there is the evolving case-law on privacy laws, IP, competition law, and product liability in relation to data assets.

With data being part and parcel of M&A, information and data exchange is crucial in deal-making. Buyers should therefore valorise the acquired data by conducting a solid and thorough risk assessment that enables them to navigate the regulatory framework strategically.

Gisèle Rosselle

Cederic Devroye

Thijs Keuleers