GDPR compliance preparation for investment or sale

Over the last four years, since the introduction of the GDPR, compliance has grown in importance when assessing businesses for investment and sale.

Lengthy due diligence reviews often turn up a lack of compliance or more serious issues, such as complaints or data breaches, but even a lack of standard GDPR compliance can cause the investors or buyers to require indemnities or to require corrective steps to be taken.

Preparation of the business for funding rounds or sale/purchase transactions should include a review of its data protection landscape in advance, and this preparation would ideally  include :

• Ensuring the UK ICO registration is valid (if part of a group of companies, then each entity may need a separate registration; each entity should be regarded separately for the purposes of data compliance).
• A recent IT systems hacker/pen-testing, to check for any breaches of security and general systems security; while there are formal document compliance requirements, these must be backed up with secure storage of personal data in fact also.
• A questionnaire to the key staff who manage personal data in the business on data protection to fact find (this could be presented as an internal compliance exercise and data audit) and review the internal processes in practice.
• A review of the data protection compliance documents (record of processing activity, privacy policy, data breach record, data subject access request record, staff training records). While these records should be in use and updated in the usual course of business, they are often needing some updating and would be better updated in anticipation of investment or sale than during or after the process.
• Considering key contracts and reviewing the need for data processing or data sharing agreements with suppliers or clients. Where personal data is sent outside the EEA or UK, these data processing or sharing agreements will need strengthening with additional contractual safeguards – if these are not already in place, it would be sensible to make those provisions (especially where personal data is transferred to the US).
• Review where the data is stored – and the answer is not “in the cloud” – this question relates to the physical location of the servers, which territory they are in.
• Consider whether any informal arrangements that might exist between group companies who process personal data on each other’s behalf should be formalised, by putting in place an intra-group data processing or sharing agreement.
• Review data journeys within the business and with third parties and consider the need for data processing impact assessments, legitimate interests assessments or transfer impact assessments (or transfer risk assessments) to support the main processing or sharing agreements.
• Review the record of processing activities (update it if necessary).

While this type of preparation may take time it will also make the due diligence stage go more smoothly. It is worth reviewing these documents in advance of uploading them into a data room for the due diligence exercise that will likely follow – the preparation will mean that the compliance documents can be updated and accurate before being presented for scrutiny and that any more serious issues can be identified and presented in a prepared way.