On the 25th May 2018, a new data protection regulation (the General Data Protection Regulation or GDPR) replaces the Data Protection Directive with the aim of protecting the personal data and privacy of EU citizens. It must be adhered to by all companies conducting business in the EU, regardless of the location in which they operate.
So, in the context of M&A activity, how will this affect you? One of the changes places a heavier emphasis on the privacy of a company’s customers; therefore, companies will be scrutinised on how they collect, store, use and transfer personal data. The knock-on effect this then has is that during a transaction, an acquirer will carry out even more comprehensive checks on the target, examining internal data protection systems and processes and undertaking checks on contracts with suppliers and subcontractors, which must comply with the new regulation.
This is in an acquirer’s best interest, as they inherit any existing data protection liabilities from the seller post-sale and the penalties for a breach are steep, attracting a maximum fine of either €20m, or 4% of global turnover, depending on whichever figure is highest.
It also will have an effect on the communicating of personal data during the due diligence process between an acquirer and seller. Personal data can now only be disclosed if the acquirer can show a legitimate interest. While in the M&A process, an acquirer can prove that they do have a legitimate interest in the data this is unlikely to extend to every individual involved in the business, instead just encompassing members of the organisation such a managers. Care then has to still be taken to not personally identify any individual outside of this remit, so a seller must make sure they are cautious not to identify individual customers or employees and suitably anonymise this data.
When personal information is disclosed, safeguards must be implemented, such as putting non-disclosure agreements in place and making sure information is kept secure in a data room. At Benchmark International, these safeguards are commonplace already, helping to facilitate a smooth, compliant transaction. At the due diligence stage where more comprehensive checks are undertaken Benchmark International can assist with this, and does so already, as clients are encouraged to gather the information required at an early stage, when it can be gathered at a steadier pace, and any potential breaches in regulation can be rectified. Benchmark International can also pre-empt requests from an acquirer and provide a list of required documentation in anticipation of this request list.
Ensuring these steps are followed to maintain compliance ahead of a transaction is not only important in keeping an acquirer interested but, could even be beneficial in terms of value, as a business showing GDPR compliance could command a premium valuation in comparison to their non-compliant counterparts.
WE ARE READY WHEN YOU ARE.
Call Benchmark International today if you are interested in an exit or growth strategy or if you are interested in acquiring.
Categories
Get These Insights Delivered Directly To Your Email
Explore our curated collection today and stay ahead of the curve in M&A.