UK businesses will be well aware of the General Data Protection Regulation (EU) 2016/679 (GDPR) which came into effect on 25 May 2018.
If a business is located in or holds, uses or processes personal data about individuals located in the UK or EU, then the GDPR applies, and sanctions for failing to comply can be severe.
But what does it mean for those in the M&A world involved with due diligence – sellers, prospective buyers, bidders, investors and their professional advisers? Will it change the way in which we share large volumes of data?
Clearly, there will be a shift in due diligence focus to data protection compliance, particularly for target entities whose core activities require large scale, regular and systematic monitoring of individuals; or those required to process particularly sensitive information about individuals such as health conditions, criminal convictions and offences.
Additionally, buyers and investors are expected to require greater contractual protection, in the form of warranty and indemnity coverage, as the potential sanctions for non-compliance with the GDPR are so high. Media coverage also means individuals are very aware of their rights, for example, submitting data access requests.
As regards the due diligence process itself and the sharing of personal data, the practical position should not be markedly different from that in place before the GDPR – there was a duty to protect personal data before the GDPR as well as after. Outlined below are the key factors to consider, from a data protection perspective, before adding information to a data room or other due diligence portal.
It is defined as "any information relating to an identified or identifiable natural person" (a "data subject"). It can include names, dates of birth, postal and email addresses (including a work email address), national insurance numbers, telephone numbers, health information, bank details, opinions and factors specific to the economic, cultural or social identity of that person – essentially anything which can be used to identify a living individual who is the subject of the data.
In reality, it is hard to see how a target business would not be doing this – for example, is it holding personal data about employees, workers, consultants, customers, clients or members of the public? Personal data will include payroll details, employment contracts, pension and retirement benefits information, entries in accident books, insurance claims, customer lists, B2C contracts and company registers.
The fifth principle of the GDPR states that personal data must be processed lawfully, fairly and in a manner that is transparent in relation to individuals. This means that, in a due diligence situation, the target business will need to show that it is disclosing the personal data under one of six lawful bases for processing. Note, if you can reasonably achieve the same purpose without the processing, there will not be a lawful basis. The bases of most relevance here are:
Assuming that there will be very limited circumstances in which processing personal data will be lawful for the purposes of providing due diligence information, a target business/seller and its advisers should aim instead to avoid processing or sharing this information at all.
To achieve this, the disclosing party and its due diligence team should review all documentation before it is uploaded to the data room (or otherwise made available to the buyer/investor) to ensure any personal data contained within it is anonymised. This is likely to interfere with a buyer/investor's ability to analyse the data (for example, the age demographic of the workforce) and the parties will need to discuss how best to assist with the analysis. It may be that, in certain areas, the disclosing party will have to conduct the analysis on the other side's behalf (for example, confirming the number of employees in certain age bands). Ways in which you can anonymise information include:
We are often asked whether the names of individuals at companies which the target organisation has conducted business with need to be redacted: for example, the name of a relationship manager on a facility letter or an individual named on a supplier purchase order form. To avoid any issues with this, a blanket approach to redactions / anonymisation could be adopted.
Alternatively, a case by case analysis could be undertaken – the outcome of each analysis would depend on whether this personal information is readily available publicly (if a lot of searching is required to find it, then the answer to this would probably be no), the position of the employee and how unique their name is and likely to identify them.
Given the greater risks and new higher fines arising from non-compliance with data laws, consider very robust warranties in the transaction documents. For due diligence, all members of the team disclosing due diligence information should be vigilant and alive to the anonymisation procedures in place and the disclosing party should ensure it uses a secure and reputable data room platform.
The platform provider's contract with the disclosing party should include commitments relating to the protection of personal data in accordance with Article 28 of the GDPR and, in particular, cooperation if a data subject request is received. Where advisers host data rooms on behalf of their clients, it is strongly recommended that:
Our Data Protection & Privacy Team has been busy advising on the specific steps that need to be taken by affected businesses (including compliance, ongoing monitoring and internal policy and procedure review). For further information about the GDPR, please visit our hot topic page.
If you have any queries or require specific advice about the matters discussed in this insight, please do not hesitate to get in touch with Alison Johnson in our Corporate team or Brian Craig in our Data Protection and Privacy team.
Contributors: Nicola Bilner and Rolla RostramThis publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...