The GDPR comes into force on 25 May 2018, imposing stricter controls in relation to the personal data of EU citizens, broad territorial application and significant penalties for breach. The UK government has confirmed that the UK will continue to adhere to the GDPR once it leaves the EU.
The GDPR is, for the most part, an evolution of existing data protection laws, not a revolution. This means there is no need to panic, but data protection compliance will likely have a greater focus for sellers and buyers alike, particularly in "data heavy" sectors, such as consumer, healthcare and TMT, for two key reasons:
1. Sellers, always have a confidentiality agreement
A seller should require all potential buyers to enter into confidentiality agreements before any confidential information is shared. These should contain, amongst other things, obligations to return or destroy any information if negotiations cease, only use the data for its intended purpose, keep it within the relevant EEA jurisdiction where it is located and take reasonable steps to safeguard the information. Where the buyer is based outside the EEA, a formal international data transfer agreement (often referred to as a 'model agreement') may need to be appended to the confidentiality agreement.
2. Buyers, know what the confidentiality agreement means for you
Upon receipt of personal data, a buyer will become a data controller and will need to safeguard that information (regardless of any confidentiality agreement) to protect the rights of the data subject as prescribed under the GDPR. A confidentiality agreement should also include confirmation from a seller that it is entitled to disclose the information to a buyer, and has complied with all applicable legal requirements in sharing that information. If a buyer is likely to share information with a seller, it should also request that the confidentiality obligations, including the storage of personal data, be reciprocal.
3. Both parties, consider the transaction structure
Where personal data is transferred from one data controller to another – for example, on a business sale – the incoming data controller (i.e. the buyer) is required to issue the data subjects with a fair processing notice, unless it is not reasonably practicable to do so.
The GDPR significantly adds to the content that must be included in such notices. This may be an additional factor that points towards a share sale structure, which are generally preferred to business sales, particularly where the target business operates a large consumer focused data set.
4. Both parties, disclose carefully
A data controller, such as a seller (or buyer) in an M&A transaction, may only disclose personal data if it meets the "legitimate interest" test. A seller will need to consider whether the disclosure of personal data is necessary for the sale process and outweighs the potential harm to the individual whose data is disclosed. As outlined above, carefully drafted confidentiality agreements can help show that there is little prejudice to data subjects.
Disclosure of personal data should be limited to that which is necessary to disclose and should be disclosed as late as possible in the sale process. For example, final employee lists with names of individuals should only be added to the final draft of the transaction documents or the final disclosure bundle.
A seller should anonymise or redact personal data, where feasible, to ensure that individuals cannot be identified from that information, unless disclosure of the individual's identity is necessary. The employment agreements of directors and senior employees are often disclosed without redaction, as the legitimate interest test will often be met for those individuals. For other employees, it is advisable to only disclose template employment agreements where employees are employed on broadly similar terms.
The seller must also consider the nature of the relevant personal data to be disclosed. Under the GDPR, express consent will likely need to be obtained from an individual to disclose any "special category" data (known as "sensitive personal data" in the UK), which includes an individual's ethnicity, health, sexual orientation, religious beliefs and political opinions. For example, care will need to be taken if there are specific health issues affecting an individual employee, and such information should generally only be disclosed on an anonymous basis.
If a buyer receives any "special category" data from a seller in an M&A transaction, it will need to take additional care in handing that information, including taking legal advice as to how to treat it.
5. Buyers, do your data protection due diligence – don't ignore it
Given the significant penalties for breach of the GDPR, it will become even more important for a buyer to understand how a target company collects, stores, uses and transfers personal data.
Some key questions that a buyer should ask include whether the target has (a) appointed a data protection officer (DPO), (b) lawfully obtained the personal data it holds (which is particularly important when the target business has a large consumer facing data set), (c) adequate data processing policies (including in the case of cyber-attack) and (d) agreements with third party contractors that adequately address the handling of personal data (and the allocation of risk for breach).
6. Sellers, control data room access
An online data room is commonplace in M&A transactions and is usually provided by third party service providers. As the seller will be transferring data to an external party, it should ensure that access to the data room is monitored (ideally with access limited to those individuals within its organisation on a need to know basis) and the data room policies of service providers adequately comply with all applicable legal requirements.
Importantly, a data processing agreement should be in place between the seller and the data room service provider to reflect that the service provider is operating as a data processor on the seller's behalf. The content of these contracts is mandated by statute and, whilst the requirement for a written contract is an existing legal requirement, the GDPR has increased the content that must be included within these contracts.
7. Allocate / mitigate transaction risk
If deficiencies are identified in a target business' data policies and their implementation (or data-related breaches have in fact occurred), this may increase the transaction risk for the buyer, with consequential impact on its valuation of the business, particularly if a buyer determines that it will need to spend time and money on remedial and/or preventative measures post completion.
A buyer may wish to reallocate the risk to the seller under the sale and purchase agreement through enhanced warranties or, where specific risks have been identified, insisting on conditions precedent to the transaction (to ensure that deficiencies are remedied pre completion) and/or obtaining specific indemnities from the seller.
Conversely, a seller should also consider carrying out a review of its internal data policies before it engages in any sale process to mitigate potential transaction risks and their impact on the target's value.
8. Buyers, consider post-completion integration at the outset
Buyers should carefully consider at the outset the potential transfers or new uses of data in their post-acquisition integration.
A buyer may need to transfer personal data outside the EEA post-acquisition where that may not have occurred previously, for example to its group/portfolio companies, or to third parties. This may require a review of both the target business' and its own data policies and contractual arrangements to ensure they contain the appropriate safeguards for personal data transfers.
A buyer will also need to consider any new use for personal data post-acquisition, and whether it needs to seek new consents from the relevant individuals for that use. For example, if a buyer acquires a business with personal data and wishes to use it to promote or sell a new product, it might need to obtain the consent of the relevant individuals in order to do so. This can be time consuming, costly and if that exercise is impractical, it could adversely affect the value of the business.
With special thanks to Daniel Pollard, Partner at GQ Littler, a specialist employment law firm that works closely with the team at MJ Hudson, who provided expert data privacy input for this article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.