Businesses are no doubt acutely aware that the European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25th this year, bringing with it the risk of heavy fines for non-compliance of up to four percent of an organisation’s worldwide annual revenue. With the potential for such large penalties, the new regulation’s implementation is set to have an impact on any organisation that handles the data of EU citizens, regardless of the company’s location.
According to the GDPR, the collection and processing of personal data must be for “specified explicit and legitimate purposes”, and must be carried out with the subject’s consent. The regulation states that personal data must not be transferred outside of the European Economic Area (EEA) unless the European Commission deems that an adequate level of data protection is in place, or that another compliant data transfer mechanism is available. In the world of business, considerations such as these around the handling and protection of personal data will have a significant effect on the act of dealmaking.
More comprehensive due diligence
When it comes to M&A transactions, the GDPR is likely to have a considerable effect on the due diligence process. Acquirers will be required to engage in a significantly more comprehensive process than they currently undertake to fully assess the extent to which a target company complies with the GDPR.
Consideration of how that target collects, stores, uses and transfers personal data will be instrumental in understanding the valuation and risks associated with a transaction, as non-compliance could lead to additional GDPR-related conditions in any sale and purchase agreement. Such conditions could include exclusion of certain GDPR-related liabilities from the deal, specific indemnities, covenants, and additional conditions to closing.
What’s more, the process of integration that follows a merger will need to address how existing consents given by data subjects will affect not only the integration, but also the future business goals of the combined entities. This will need to consider the different ways in which that data could be used once the deal has completed. To complicate matters further, the acquisition of a business based within the EU by one based outside it could lead to a complex situation at the point the acquiring business wants to transfer the associated data outside of the EU.
Changing the process
Protecting the data used in the due diligence process is becoming a particularly critical issue for business involved in M&A transactions, and one that could potentially derail a deal if certain criteria aren’t met, or specific safeguards put in place. Many businesses are now appointing chief privacy officers, reflecting the escalation to, and importance of, data privacy and data protection issues to the C-suite.
Considering the high importance placed on data protection for GDPR compliance, it’s highly likely that we’ll see an increase in the adoption of encryption software and similar, related services over the course of 2018. And, as ”data handlers” seek to provide a wrap-around service in addition to their current portfolio of services, we may see some degree of M&A activity in the information security space.
Between them, cybersecurity and the GDPR will lead to changes in the due diligence process. Until recently, most due diligence has focused on the legal, financial, commercial, environmental and HR aspects of a deal. With the advent of the GDPR, however, along with the growing number of high-profile data breaches making the headlines, cybersecurity readiness and prior breaches should now be added to this list of factors.
These new considerations will undoubtedly raise new questions, though, particularly about GDPR compliance. How does a business conduct cybersecurity due diligence, for example? Will there be an emergence of specialist service providers to assist with this? What should advisors and corporate development teams be aware of as cybersecurity continues to come under ever greater scrutiny? Does the business have sufficient technical experience and expertise to remain compliant? How can a buyer gain assurance that its target has taken the appropriate steps to protect its information? What should a target company offer as part of the due diligence process, and how can this be made as painless as possible for the buyer?
Much work still needs to be done before it becomes clear just how the GDPR will affect the due diligence process. Until that time, however, service providers should view the new risk that the regulation represents within the M&A process as an opportunity to present themselves as providers of a wrap-around service, with data protection and compliance at its heart.