Buyer beware – ignore the GDPR at your peril!

The GDPR is designed to be far-reaching and ensuring compliance can be challenging. So data protection will become an important consideration in any M&A transaction.

How does GDPR affect prospective company M&As?

Because of the increased focus on data and information security under the GDPR, prospective buyers will need to engage in an enhanced and more detailed due diligence process to fully assess a target company’s GDPR compliance.

Important areas to question the target company about during due diligence will include:

• registration with ICO – is it correct?
• has there been proper reporting of historic data breaches? (ask for the register)
• are there any pending compliance investigations or inspections?
• have appropriate impact assessments been carried out?
• where necessary, is an appropriate data protection officer appointed

Particular consideration should also be given to the existence of adequate privacy policies, the guidance and training given to employees, and what technical and organisational security measures have been applied – particularly if the target has been dealing with sensitive data.

Depending on the outcome of due diligence enquiries, buyers need to consider specific warranty protection or, in certain circumstances, indemnities against the risk of incurring liabilities for GDPR breaches.

As a seller, what should I consider?

As a potential seller, you will want to be in a position to demonstrate your business is compliant with GDPR. Make sure that you appropriately document and evidence every step taken to ensure compliance and consider mapping how your business handles personal data.

When assessing whether your business is GDPR compliant, the new law means you are responsible for ensuring the compliance of any outsourced data processing services you use. Potential sellers will therefore need to ensure that appointed third party service providers who handle or process personal data on their behalf (e.g. payroll services) are also GDPR compliant.

The large amount of data processed by a business and the multitude of ways in which it is handled means that accurately mapping and understanding how your business uses and processes data is vitally important to ensuring your compliance.

There is no doubt that the new law will bring an increased focus on data protection compliance in M&A. Making sure that your business is compliant and understands the questions that need to be asked and answered will help put you on the front foot in any potential transaction.

If you’re involved in, or are considering the possibility of, a future merger or acquisition, you will want to assess and mitigate all the risks associated with a transaction. We’re specialists in corporate transactions and can help you achieve the outcome you want.