After over four years of debate, the General Data Protection Regulation (GDPR) recently came into force, taking effect after a two year transition period, i.e. from 25 May 2018. The GDPR introduces a rigorous and far-reaching privacy framework, which will impact many M&A transactions.
The GDPR sets out defined obligations and substantial fines for non-compliance. The new regime will extend the territorial reach of EU data protection law, catching any business that operates in the EU, or offers goods and services to – or monitors the behaviour of – EU data subjects. In the M&A context, a non- EU entity that targets or monitors EU individuals will be subject to the GDPR.
The GDPR imposes mandatory data breach notifications and much stronger sanctions for non- compliance. Fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher, can be imposed. This has rightly concerned business – a survey by Ovum in 2015 showed that 94% of IT decision makers are concerned about the GDPR and 52% of respondents thought that the GDPR would result in fines for their company.
Additional diligence at all stages of the M&A process will be paramount. A greater emphasis on internal compliance is essential such as whether an entity has appointed data protection officers; has a record of processing activities; and undertakes privacy impact assessments for new projects. Contracts with vendors and subcontractors should be reviewed to ensure compliance with the new regime.
Understanding how a target collects, stores, uses and transfers personal data will be vital in understanding the valuation and risk associated with a transaction. Buyers should also avoid assuming data protection related liabilities (including previous data breaches that may not have been disclosed). Depending on the outcome of the diligence process, there may be a need for specific indemnities for data protection related liabilities, covenants enabling ongoing safeguards and potential conditions precedent regarding steps to address material non-compliance.
Buyers must carefully consider post-acquisition integration and any transfer, or new uses of data. Privacy and compliance considerations should be central to the integration process to ensure buyers can use the data as envisaged post-sale. For example, new consents may be required to use data for different purposes or to merge the data with an existing database. Data protection compliance (and, therefore, the level of required diligence) will be even more critical in some sectors, e.g. healthcare, big data, businesses engaged in behavioural targeting technologies and businesses targeting children.
The GDPR changes the rules for EU data protection compliance and will be an essential consideration in any M&A transaction that falls under the new regime.