GDPR is such a 2018 topic. And the regulation was clearly flagged years in advance. So how come the consequences are still playing out for EU-based companies in M&A scenarios?
At the heart of the M&A issues thrown up by GDPR is one common theme: the owner of the data will at some point reveal (whether on purpose or accidentally) personal data that is covered by the GDPR regulation that is not, or cannot be, anonymized or redacted without impacting the transaction.
So far, so good, I hear M&A advisors saying. Surely that’s a topic for the companies involved, we don’t go near the personal data? Unfortunately, in a survey by Merrill Corporation in late 2018 of EMEA M&A professionals, 55% were already indicating GDPR was a primary reason for a transaction not proceeding, due to the compliance issues and data protection employed by the target company. Being able to address the issues your clients are facing in GDPR compliance will become an increasingly important factor in earning your fees. And as we indicate below, the advisors could even be put on the spot themselves by their client’s efforts to implement best practice.
We’ve highlighted below some of the new execution considerations that GDPR brings to the M&A process. We don’t focus on the specific legal and contractual issues, which the relevant experts will advise on. As with much of our work, we aren’t holding ourselves out as experts on the topic. Nevertheless, by bringing to our clients an awareness of the possible execution pitfalls and bottlenecks, they can execute their ideal transactions as efficiently and swiftly as possible while in full control of the possible downsides.
The nature of the business being sold, and integration planning
Firstly, and naturally, preparing for the normal due diligence procedures on the business being sold. Particularly where an important part of the business value comes from personal data on client lists, marketing databases, personal information databases. There is a “legitimate interest” test which can allow third parties to view this information without obtaining new permissions, but in practice the legal and privacy commentators are cautious about solely relying on this in order to view broad categories of information, although it might be sufficient for reviewing a core management team, for instance. Otherwise, the seller may only be able to provide highly summarised information – for instance, giving the number of clients by age bands.
A further aspect of preparing the company for sale will be whether sensitive information, for instance on key employees will need to be provided. If so, has the permission or employment contract already contemplated an M&A situation, or will there be a need for specific consent? Similarly, does the existing consent from data subjects contemplate changes of control, and future different uses of the information by the new owner?
Bidders, advisors, data room providers as Data Processors or Controllers?
Could anyone accessing, hosting or analysing the personal data be deemed a Data Processor or Data Controller, if the data room contains any personal information that doesn’t fall under the limited exemptions? Legal analysis suggests this is highly likely, in practice. This has material implications for the due diligence process and for the non-disclosure agreements for potential bidders, advisors on both sides, and any other service provider reviewing the information.
Given the obligations such a status imposes, in practice bidders and advisors may instead insist the data room contain no personal data, and for suitable contractual protections to be in place to protect themselves. Which raises issues of the quality and speed of data room preparation – or of how far should data be anonymised or summarised in a compliant manner, and still demonstrate the value of the business.
Turning the track record of compliance into a virtue
In May 2019, the UK tax agency HMRC was forced to delete five million voice records it was found to have collected unlawfully. GDPR is so new, and is proving to have so many unanticipated implications, that even a major government agency can misunderstand its obligations and be in breach. Yet a Financier Worldwide round table discussion stated that “Understanding how a target collects, stores, uses and transfers personal data, as well as the details of any historical data breaches, will be vital in understanding the valuation and risks associated with a transaction.“
Smart vendors should therefore think about showing their GDPR procedures and history of compliance as a positive part of their story, rather than leaving it to legal review of the data room. Therefore, spending time to think about how to present the data management policies, internal procedures and personnel, breaches handling procedure and practices, subject notification procedures, and even something as basic as the date of registration with the Information Commissioner’s Office. This process could be covered by a Data Protection Impact Assessment, although for this to properly consider the specific requirements of an M&A process will require close co-operation between the target’s senior management, data protection officer, and external financial and legal advisors.
Nevertheless, the purchasers may still insist on greater contractual protection, in the form of warranty and indemnity coverage, for protection against GDPR sanctions.
Where is the data going to be held?
Exporting the personal data out of the European Economic Area is strictly controlled. This has implication for the location of the servers of the data room provider, and if there are non-EEA bidders accessing the data room, may also restrict their ability to download or manipulate the personal data.
We’d also note that in the case of Brexit, this may cause issues for live UK M&A sale processes while the Brexit regulatory implications are worked out.
Could the family information, home address, and childrens’ school details of a CEO hired from overseas end up in a data room? You’d hope not. Yet if his ex-pat package forms part of his terms of employment, this could be too easy to overlook.
In practice, datarooms containing many thousands of pages are sometimes compiled rapidly, by relatively inexperienced staff, and without careful review. Even where the business’s customer-facing personal data is carefully controlled, it is possible for other personal information, such as on senior management or their families, to be inadvertently added.
Here is where technology can and should help. We recently became aware of one data room provider who has built an automated data classification tool, which we are told can automatically find and obfuscate non-compliant data in the data room, in any document format, while still maintaining a complete confidential copy of the files in clear form. We have not yet used this live but are watching it with interest.
Who is the best person in the company to help?
Many of the execution issues we’ve raised will already be familiar to one person in the company being sold – the Data Protection Officer. In fact, the DPO is the principal company representative who should advise the Data Controller that the transfer of protected data to third party data processors is permitted. And yet it is still less common than it should be for the DPO to be automatically part of the core execution planning team. Something that we regularly recommend in our work.
The fines for GDPR non-compliance are eye wateringly large, at up to 4% of global turnover. But these are small when we look at the far greater cost of an M&A deal failing due to poorly executed GDPR disclosures and procedures. Transaction execution excellence is not a nice to have, but a must have in order to understand and prepare for the GDPR challenge and the many other issues faced during execution of an M&A transaction.
And as always, The Deal Team’s professional transaction managers are here to support company executives with the minimum of distraction in preparing for the transaction, whether M&A or ECM.
Please note – We’ve used our judgement to select the linked external information which we believe may be of interest. We are not however responsible for the accuracy, completeness or relevance of the information and opinions contained therein.