Data protection applies to M&A more than ever

thinktank-legalIn the world we live in with information being readily shared from wherever we are, personal data is a valuable and important business resource.

With the importance of data as intellectual property only going to rise, this becomes an important consideration in M&A transactions. More and more emphasis is and will be placed on personal data procedures, policies and security during due diligence and there will no doubt be an ever-expanding list of enquiries pressing sellers to provide full and complete details of what personal data they hold, where it is stored, what data policies they have in place to manage that data and subject access requests and so on (as if due diligence wasn’t time consuming enough already).

There is of course an inevitable exchange of personal data during an M&A transaction and a failure of the target company to be fully compliant in this area represents a significant risk for the acquirer.

With new data protection legislation on the horizon and high profile companies finding themselves the subject of intense scrutiny about how they handle data, this is an area which will undoubtedly see more and more warranties arising in transaction documents to put a heavy burden on the target to ensure that it is data compliant.

Of course, any target which has not taken its data protection compliance and risk management seriously and put in place appropriate and robust procedures to address the risk will undoubtedly be found out during due diligence. This will give an acquirer the opportunity to push back and potentially this could affect the structure of a deal and ultimately, the price paid.

Indeed, if it is found that a target has built their business without taking data protection sufficiently seriously and had failed, or is unable, to collect or use data in accordance with data protection legislation, then the target business may not be viable. Even if data is collected and used properly, if it is found that the target hasn’t put measures in place to properly protect personal data in its control, then it can find itself having to spend very significant costs to fully investigate and remedy any incidents of data breaches. These costs can be very high even for data breaches which are not very substantial.

It’s very important for those targets who plan to go through a transaction to get their data protection house in order. If a data protection officer is in place then that’s great, they can ensure that if there are any potential holes that they are plugged. If no one person is appointed to manage data protection or there has just been a lack of addressing the data protection risks and no infrastructure exists, then the target should get this sorted before due diligence starts.

Proper policies, procedures and a robust culture of data protection is an absolute must for targets holding personal data, which almost everybody does nowadays.



Daniel Gardner

Think Tank Legal


Comments are closed.

© 2019 Evolution Complete Business Sales Ltd.

  Keep me updated

Dear visitor. Please subscribe if you'd like to receive updates and events on selling or buying a business

* we hate spam and never share your details.