Data protection considerations in corporate transactions and the due diligence process
Just over one year on from the introduction of the General Data Protection Regulation (GDPR), data protection practices are continuing to play a central part in corporate transactions.Taking into account the announcement made by the UK’s Data Protection Authority (ICO) this summer of its intention to fine Marriott International just over £99 million for breaches of its data last year, it will come as no surprise that sellers, prospective bidders, investors and professional advisers are approaching corporate transactions with an ever greater degree of caution. The severity of the sanctions involved in data protection breaches (including heavy administrative fines and reputational damage) are just some of the considerations for transaction parties, who need to ensure compliance to data protection laws.
‘Personal Data’ is defined in Article 4 of GDPR this is ‘any information relating to an identified or identifiable natural person’. That natural person will be a data subject, and can include names, identification numbers, location data and anything that can be used to identify a living individual who is the subject of the data.
Personal data is exchanged, stored, and processed at many stages over the lifetime of a transaction and data protection issues can materialise:
- in the pre-signing phase when initial negotiations are carried out between a buyer and a seller, and when settling an non-disclosure agreement;
- in the due diligence process where large amounts of information are exchanged on the target and data rooms are populated;
- when preparing for completion where information is exchanged in order to draft transaction documents and ancillary documents; and
- on the completion of a transaction when a transitional service agreement is required and databases are integrated.
An important point to note, is that whilst the GDPR requires a seller to tell data subjects if their personal data is being disclosed, there is often a need to ensure commercial secrecy. Generally businesses can rely on the “legitimate interest” ground for processing data, in that the processing is necessary for the purposes of the legitimate interest of the employer or a third party. A business needs to be able to show however that it has balanced its own legitimate reasons for processing the data against the rights and freedoms of the data subject and so it is imperative that companies take steps to record this balancing test to demonstrate GDPR compliance.
Focusing on due diligence in corporate transactions, it is fair to say that the process has been affected twofold from tightened data protection laws.
Data Protection Compliance
Following the introduction of GDPR, there has been a move to scrutinising data protection compliance in target entities to establish compliance with GDPR. It is inevitable that every target will process some form of personal data, and in any corporate transaction, the buyer almost always inherits any unlawful data processing activities the target has been carrying out. A buyer will need to identify where any unlawful data processing has been carried out in the due diligence process to ensure that it is rectified (ideally by the seller pre-completion or if not possible then after completion has taken place).
Particularly where a target entity collects sensitive information about individuals or carries out large scale monitoring, the due diligence focus may be on what data protection measures have been carried out by the target historically, and what policies/ procedures are in place to comply with data protection laws. This greater scrutiny of data protection compliance as carried out by buyers, has led to buyers in particular requiring tighter warranties or indemnities in the transaction documents, taking into account the risks of non-compliance as highlighted above. If unlawful processing goes undetected, both the target and the buyer are at risk of enforcement against them and so it is important that proper due diligence is carried out to detect where unlawful data processing has taken place.
Due Diligence Process
Large amounts of information are inevitably exchanged between parties in a corporate transaction and this information almost always includes personal data. Parties will therefore find themselves classified as “data processors” in the context of GDPR. When carrying out a due diligence exercise, online data rooms are typically used by a seller to place information about the target business. These data rooms will include, amongst other matters, information on the target’s key staff and material contracts. Best practice entails mitigating the risks involved in the due diligence process through a variety of mechanisms. Before disclosing sensitive data, the disclosing party and due diligence team need to carry out a substantial review of the data before uploading to a data room.
Methods used to decrease the risk of disclosing personal data in an online data room include:
- anonymising employee, customer and supplier data by redacting sensitive information such as names, addresses and signatures;
- aggregating salary data so that individuals’ salaries are not identifiable;
- using samples of contracts rather than copies of signed contracts, and providing template employment contracts for non-key employees where the terms of employment are identical;
- using analytics tables without names to show average salary per function for example; and
- compiling summary information in relation to disputes or commercial/ personal data.
In addition, pseudonymisation can be carried out to edit data subjects’ personal information to make it impossible to identify the data subject and it is encouraged that this takes place in the usual course of business. Whilst pseudonymised data is still classified as personal data for GDPR, it can reduce the risks to data subjects concerned and help processors meet data protection obligations.
It is unlikely that personal data will be removed from an online data room in its entirety, so it is key that appropriate security measures are in place to prevent security breaches such as hacking. As a minimum, data rooms should require a username and a password, and have state of the art methods of data encryption. It is also fairly standard practice for data rooms have other security measures such as the ability to watermark documents (ensuring they are identifiable if they are copied), prohibiting downloading so that no information can travel outside of the data room, and enabling the tracking of the documentation so that a seller can establish which documents are of a particular interest to a buyer and its advisers.
The Key to Compliance
To reflect on data protection in corporate transactions, it is important not only to ensure that a target has not been processing data unlawfully (from a buyer’s perspective), but to ensure that data processed during a transaction is dealt with carefully using some of the methods set out above. All parties to a transaction will have data protection obligations, as they will each inevitably handle personal data at some stage in a transaction. Rather than becoming caught out by enhanced protection legislation, we can’t emphasise enough the importance of developing best practice to deal with data protection hurdles that may crop up during the life cycle of a corporate transaction.