Research shows that an astounding 40 percent of acquiring companies involved in an M&A transaction discover a cybersecurity issue during the post-acquisition integration phase. (Source: Forbes)
Which is why with help from our contributor, we have published a set of important tips related to data protection and privacy that decision-makers will find useful for such activities.
4 Crucial Data Protection Questions to Ask Before Acquiring a Company
Although many things should be considered during M&A activities, it mainly comes down to 4 major questions that aspiring business owners need to ask, in order to ensure utmost data security, before acquiring a business:
- Does the company being sold own the right to transfer business data as well?
- Will the purchaser gain the rights to use the business data after the sale?
- Are all the potential liabilities for data protection taken into account?
- Does the transaction process clearly outline the data protection considerations?
To help the key stakeholders in an M&A transaction understand the thinking behind these questions, they explained the various underlying data protection considerations that each of these questions is trying to address, in detail.
“It was a common assumption of most businesses, before the GDPR, that they can own and profit from the business data they acquired, regardless of whether the data was that of their employees, customers, stakeholders, suppliers, or stored in their marketing databases. However, the GDPR has changed this perception for most businesses, specifying clearly that the rights to business data cannot be acquired or transferred indiscriminately”.
At this point, it’s logical to ask if there are any circumstances in which sellers will be unable to lawfully transfer business data onto the purchaser. To address this concern, it’s important to consider:
- Whether or not the seller’s privacy policies have a clause that allows for the sale of the business, its data, and a change of ownership
- If the data subjects have shared their consent, then is it possible to lawfully transfer this consent to the purchaser?
- In case the seller is involved in processing the data on behalf of some third party, then do they have any data sharing agreement that allows for a change of control or ownership?
Do buyers automatically receive the right to use the business data owned by the company they acquire?
‘It’s important for buyers to confirm whether or not they have full rights to use the data for their business operations, and also to check if there are any kind of restrictions on its use that they should be aware of. assuming the seller has the full right to transfer the business data to the new business owner”.
As the new business owner, you should consider the following points before using any part of the data that you have acquired through the transaction:
- Purpose of the data usage: Will you be using the newly acquired data for precisely the same purpose as it was being used for by the previous business owner? If not, it’s important to ensure you have an appropriate reasoning and lawful basis behind it.
- Transfer of consent: The new business owner should ensure the consent is transferable once the sale goes through, particularly if consent will be used as a lawful basis for data processing. It’s important to have a clear and unambiguous record of the transfer of consent and its basis. In case the new business owner anticipates any restrictions on their ability to contact the original data subjects after the transfer happens, their ability to renew consent needs to be clearly discussed at an early stage of the transaction.
- Location of the database: Where do the new business owners plan to store and process the data after the purchase? In case it’s going to be stored outside the EU, then it’s necessary to do it in a country that’s considered appropriate by the European Commission. Otherwise, another suitable transfer mechanism will be required to go ahead with it lawfully, such as the use of Privacy Shield, Standard Contractual Clauses, etc.
- Data sharing agreements: It’s important to be sure of which all parties will have access to the data. This will require the new owner to have the required data sharing agreements and policies in place, before processing the data in any way. If the plan is to continue relying on the seller’s original data-sharing agreements, it’s possible to legally re-assign those agreements, if required.
If the new owner decides to take on the previous owner’s liabilities, it’s important to clearly understand each one of them. This will typically involve a thorough audit of their existing data handling process, focusing on a range of areas, including but not limited to:
- Accurate and comprehensive cataloguing and mapping of all business data
- Complete and up-to-date records of processing activities
- Completion of DPIAs for all the high-risk datasets
- Carrying out Legitimate Interest Assessments (LIA), if you are using Legitimate Interest as a lawful basis
- Confirming whether the data has been obtained lawfully, along with transparent privacy policies and consent notices
- Maintenance of comprehensive consent records
- Confirming whether the data processors have handled it appropriately in the past and who all had access to the data
- History of data breaches, if any
- Outstanding responses to rights requests by individuals’(such as DSARs), if any
- Potential claims or outstanding investigations related to data protection and privacy, if any
“A well-structured, comprehensive, and rigorous audit process will help uncover this and many other crucial pieces of information. In case of a trade and asset sale, the liabilities can potentially remain with the seller after the transaction is completed, it’s important for them to have a clear idea of the state of compliance, along with their own potential liabilities. In case of a share sale, purchasers would need the seller to provide them with warranties and indemnities, as may be required for data protection compliance. However, evaluating the value of their potential liabilities is, ultimately, a commercial question and highly subjective,” the DPO experts claimed.
“The final key consideration is to ensure that all the required security, permissions, and rights are in place for the acquisition process to go forward. Typically, the buyers, sellers and their advisors will be increasingly involved in the auditing and data sharing process throughout the various phases of the acquisition process, from initial enquiry and populating the data room, to completion, and transition (post-completion)”.
Most importantly, ensure that:
- The non-disclosure agreements include data protection clauses that are robust enough
- All necessary data-sharing agreements between the buyers, sellers and their advisors have been put in place
- Special attention has been paid towards setting up the data room, in order to ensure that it’s secure and hosted at an appropriate location, especially if data is going to be stored outside the EU
- The data room can only be accessed by authorised individuals, has only been populated with the necessary data, and none of the data can be downloaded or removed
- Privacy policies and the Record of Processing Activities (RoPA) have been updated to state that business data may be shared for supporting the M&A activity, wherever required
- The sale and purchase agreement includes data protection provisions for protecting both the parties involved in the transaction
- Entire business data, including that stored in the data room, gets retained only for as long as it’s absolutely necessary for evaluation and conducting the transaction, and that the access is revoked as soon as possible, once the process is completed
Traditionally, companies didn’t consider data protection compliance as one of the most important considerations for M&A. However, this is changing quite rapidly as most businesses today, particularly companies that operate in emerging sectors and derive a significant amount of value from the data they possess, such as FinTech, ECommerce, the Internet of Things (IoT), AdTech, Life Sciences, and AI, are experiencing higher than average M&A activity with sky-high valuations. The risk vs reward ratio for getting data protection compliance right in such scenarios clearly justifies paying enough attention to it.
However, because of the huge data volumes and the increasingly complex technical aspect of processing, it’s not uncommon to have a low level of data protection compliance. This is why The Information Commissioner’s Office (ICO) has been paying special attention to activities such as RTB (Real-Time Bidding) in the AdTech industry.
Having a comprehensive and well-structured approach towards data protection compliance is now more crucial than ever for a successful M&A activity. It’s always a good idea to avail outsourced DPO services, if you need any assistance in this regard, without having to hire your own team of data protection officers for the M&A activity.
UK based technology professional, with an interest in computer security and telecoms.