Company Acquisitions: The Impact of the GDPR
By now you are probably aware of the General Data Protection Regulation (“GDPR”), which will bring about one of the biggest changes in data protection law in the UK. Below is a brief overview of the GDPR and how it will likely impact the company acquisitions in the short-to-medium-term.
What is the GDPR?
The GDPR will come into effect across the EU (including the UK, regardless of Brexit) on 25 May 2018 and will replace the existing Data Protection Act 1998.
The GDPR will have a major impact on how personal data is collected, used and processed. Personal data can broadly be defined as any information which relates to an identified or identifiable individual and will include an individual’s name and contact details. Depending on the context, personal data may also extend further to information collected during an individual’s interaction with a target company. In terms of scope, the GDPR with almost certainly affect both a target company and any agents that it uses throughout its day-to-day business.
Will a Target Company be caught by the GDPR?
The simple answer is probably. The GDPR essentially applies to any organisation that holds personal data. If data is held offshore, this doesn’t mean that you won’t need to comply - all organisations that process the personal data of EU residents will be required to abide by the provisions of GDPR. It is likely that a vast amount of personal data will be held by a target company, whether that data be employee details, client information or customer/user data. Accordingly, it is likely that a target company will be the data controller of all the personal data it holds about those individuals and companies.
It is important that during the due diligence process careful consideration is given to the target company’s use of data and, if they are not compliant with the GDPR, the level of risk this poses. Depending on what is discovered during due diligence, it may be necessary to build additional protections in to the acquisition documents or you as the purchaser so that your liability is limited.
Alternatively, where fundamental issues are identified, it would be prudent to ensure such issues are rectified by the seller(s) prior to completion of the acquisition.
Post-Acquisition - How to Comply
Post-completion, careful consideration must be given to what personal data is collected, how it is used, why it is used and who it is shared with. Following the acquisition of a target company, policies and procedures will need to be put in place (along with adequate GDPR training) to deal with on-going compliance.
The Risk of Non-Compliance
Under the existing law, fines for data protection breaches are capped at £500,000. However, from the 25 May 2018, the Information Commissioner’s Office will have the ability to issue much greater fines. For serious breaches of the GDPR, fines will be capped at €20 million or 4% of global turnover (whichever is higher).