What impact is GDPR having on M&A deals?

Data protection issues feature increasingly in mergers and acquisitions.  This is driven by a range of factors, including in particular the growing realisation of the value of personal data to a business as well as more widespread appreciation of the risks involved in processing personal data.  The GDPR has acted as a catalyst and data protection issues therefore receive greater attention than ever before.

The GDPR’s impact on M&A can be observed in a range of areas:

1. Assessing viability and structuring: The ability to exploit personal data for a range of possible purposes, from marketing to analytics, may be a key enabler of a target business, or may offer significant potential value to a purchaser. Parties are increasingly considering to what extent data considerations may impact the viability of a proposed transaction, or whether a transaction should adopt a particular structure to enable the exploitation of data.
2. Preparation for sale: For a seller with an eye to a potential disposal in the future, serious consideration is, more than ever, given to whether the business is fit for sale from a data protection perspective. In some cases, this analysis may lead to the identification of measures that can be taken in advance of a deal to facilitate a transaction or to mitigate any data-related risks involved. Such measures may anticipate possible concerns from potential purchasers regarding areas of non-compliance or failure to adopt good practice.
3. NDAs: Non-disclosure agreements, entered into by potential parties to a transaction (and their advisors), increasingly include data protection clauses. Previously, these clauses may have been absent altogether or limited in scope. Sellers may also request bidders and their advisors to enter into data transfer agreements to facilitate international transfers of personal data. The perceived “market practice” has perhaps not yet caught up, particularly where the participants in a transaction include non-EU actors.
4. VDRs: Sellers, and to a lesser extent purchasers, are giving greater thought to what personal data is shared in data rooms, and are applying additional controls to protect any shared personal data. The steps taken may include anonymisation, by way or redaction or aggregation of data.  Or it may include other technical controls, such as restriction of access to a limited group, or restriction of printing or downloading rights.
5. Purchaser/Bidder Q&A: Purchasers are asking increasingly probing and persistent questions as part of the due diligence process. Although GDPR remains a largely principles-based law, it has introduced a number of requirements to implement specific compliance measures. These include a written record of processing, data protection impact assessments, a requirement to report and keep a record of data breaches, as well as requiring the appointment of a data protection officer for businesses carrying out certain types of activity. Details of these measures provide a rich source of information to a potential purchaser and can act as a good barometer of the maturity of a target’s data protection compliance programme.
6. Deal terms: Deal terms have generally included specific warranties regarding data protection compliance. The warranties requested by purchasers have become increasingly lengthy and specific since GDPR. As with the Q&A process, the introduction of specific requirements under GDPR, together with the heightened risk profile, is leading purchasers to request specific warranties concerning key indicators of compliance or non-compliance (e.g. disclosure of personal data breaches, or failure to respond to data subject requests within the prescribed time limit).
7. Completion and post-completion: On a business sale, the transfer of personal data on completion will lead to a change in the “controller” of that personal data. It has always been a requirement that the new controller identify itself to impacted individuals. Increasingly, the form and timing of this notice is agreed as part of the deal terms. A separate notice may also be given by the seller. In business sales involving the transfer of marketing databases, specific rules of engagement may be set out in relation to any future marketing activities of the purchaser relating to customers of the transferred business.

It remains rare for a transaction to fail to proceed based on data protection concerns identified by either party, but the examples that exist are not often widely publicised. Nevertheless, GDPR is having an impact (and can certainly present a few obstacles) in a range of areas on M&A deals.