The impact of the GDPR on mergers and acquisitions
In any corporate transaction, data transfer will be a focus on everyone’s mind, and after the introduction of the GDPR on 25 May 2018 here are some top tips to ensure compliance:
1. Confidentiality Agreement
Before any data is shared, a seller should insist that a confidentiality agreement is entered into with any prospective buyer. Outlining the permitted use of the data, obligations in respect of retention, storage and destruction and the transfer of data within the EEA are just some of the terms that should be included. Where a buyer is located outside of the EEA, an international data transfer agreement may be appended to the confidentiality agreement.
2. Extent of disclosure
In a transaction personal data will be disclosed by both the seller and buyer. Unless there’s a legal obligation to rely upon, such as the Transfer of Undertakings Protection of Employment Regulations (TUPE) then the parties will need to rely on the legitimate interests ground. A seller must therefore satisfy itself that disclosure as part of the sale process outweighs the potential harm to the individual whose data is disclosed. Whilst there is always performance of a contract to rely on, at the time of disclosure, there is often no contract in place but rather heads of terms and a negotiation process.
Disclosure of personal data should be refrained until the last opportunity to ensure that only the necessary personal data is disclosed to the buyer. In any case, where possible and unless an individual’s identity is necessary, for example in the case of directors, data should be anonymised prior to being shared with a buyer.
Where sensitive personal data is disclosed, including an individual’s ethnicity, health, sexual orientation, religious beliefs and political views, express consent will be required, and additional care will need to be taken by a buyer when handling such data.
3. Due Diligence
A buyer should not be complacent about the importance of understanding how the seller collects, stores, uses and transfers personal data. Identifying the data protection officer, establishing whether data was obtained lawfully and understanding what data processing policies and agreements with third parties are in place are just a few of the due diligence questions that a buyer should be asking. Understanding the data protection set up of the seller at any early stage will allow a buyer to assess the risk and highlight any potential data breaches.
4. Data Rooms
A seller should ensure that any data room is monitored, and access is only given to those who require it. A data processing agreement should also be in place between the third-party data room provider and the seller to reflect the position of the third party as a data processor.
5. Transaction Risk
The due diligence exercise may reveal deficiencies in the seller’s data protection procedures and therefore increase the risk to the buyer. A buyer may request enhanced warranties, specific indemnities or place conditions on the transaction to mitigate risk from such deficiencies.
6. Post Completion
Once the transaction has completed, a buyer will need to consider the present and intended future uses of the personal data acquired. An assessment will need to be made as to whether further consent is required and if data will be transferred outside of the EEA.
In addition to our employment law offering, Austin Moore & Partners has vast expertise in dealing with corporate, property and commercial transactions. As a boutique law firm with roots firmly based in the East Midlands, our team combines considerable experience, local knowledge and reputation to provide unparalleled support to clients, offering big firm experience with small firm values.