Data and the deal

Data that identifies or relates to living individuals is often a fundamental part of M&A. But sharing such personal data during a transaction has to be done carefully.

Compliance with data protection legislation is fundamental. Businesses must be transparent about which personal data is being shared, ensure that it meets its legal obligations, and keep the data secure throughout the transaction. It is important that both parties engage in the due diligence process, and remain transparent about the personal data being shared.

Businesses should approach the due diligence process with a strategic focus, considering the relevant data protection legislation and implementing appropriate technical and organisational measures prior to sharing any personal data.

After completion, the buyer should assess whether additional steps need to be taken to ensure the business continues to process data lawfully.

Failing to do any of this may lead to regulatory enforcement action and reputational damage. Such failure could also impact the transaction itself – potentially even leading to it being aborted.

The basics

Anyone selling a business should consider reviewing and updating all data protection policies and procedures to ensure the business is complying with data protection law.

A seller should also review the types of personal data that the business holds, how that data is processed, and what individuals have been told will happen to their personal data in a sale process.

In some cases, a seller will have to inform data subjects, as the data subjects may have the right to object to the sharing of the data – particularly if, when that data was collected, the data subjects were not notified about it being shared with potential buyers of the business. UK and EU data protection law requires a seller to tell individuals if their personal data is being disclosed to third parties, which includes the disclosure of personal data in the context of a commercial transaction.

A seller should also:

• Establish a lawful basis for sharing personal data during the transaction.
• Ensure compliance with key data protection principles such as data minimisation, lawfulness, fairness and transparency, integrity and confidentiality.
• Keep a record of any personal data shared.
• Check that privacy notices include information about personal data being shared with potential buyers of the business.

Sharing data

Sharing correct and accurate data helps ensure a smoother due diligence process while protecting the business’s interests. However, at each stage of the due diligence process, the seller should consider exactly what personal data will be shared with prospective purchasers.

For example, when creating a data room, sellers should ensure that:

• The data is relevant to the sale.
• The data is up to date, accurate and not misleading.
• The data room is secure, to avoid any unauthorised disclosures of personal data.

Only individuals who need to review the data for the purposes of the transaction should have access to the data, and the seller should ensure that all those who can access the data are bound by appropriate confidentiality provisions. 

Data minimisation

Not all personal data needs to be shared during the due diligence process. For example, the seller should consider carefully what, if any, personal data about staff should be disclosed. This may mean anonymising salary information and sharing only generic employment contracts.

However, there is a balance to be struck. In particular, the seller will need to disclose enough information for the buyer to be comfortable about proceeding with the transaction.

The buyer’s perspective

Prospective buyers will usually want to review the compliance of the target business with data protection law. If any issues are identified, they will have to either require the seller to remedy those issues before completion – assuming that is feasible – or address them once the deal is concluded.

When the issues are significant this may affect the overall commercials of the transaction. The buyer may seek a reduction in price, and may want indemnification from the seller for any losses suffered if the issues lead to enforcement action, reputational damage or additional costs.

Once the transaction completes, the buyer may additionally wish to undertake a full data protection audit to identify any issues that were not unearthed by the due diligence process. It may also, of course, decide to align the business’s data protection policies and procedures with its own.

Post-completion, the buyer should assess what additional steps need to be taken to ensure the business meets applicable data protection law requirements when processing personal data.