Protect business data when buying or selling a business

Solicitor Kerry Southworth and paralegal Alice Halpin, from Harrison Drury’s corporate team have partnered with regulatory team to offer guidance on data protection during merger and acquisition (M&A) transactions.

Data protection has been a hot topic of conversation ever since the introduction of the GDPR. It has certainly been hitting the headlines ever since hefty fines were received by British Airways and Marriot earlier this year, totalling a combined figure of almost £283m.  

Whilst the volume and value will defer extensively, all businesses will hold, use and/or process personal data relating to individuals in the UK and EU. Personal data includes customer lists, employee details and information about the general public.

When buying or selling a business, disclosure of information about the company is an important part of the transaction. It is equally important, as the seller or buyer, that you avoid the risk of a data protection breach during disclosure.

How to protect data during business transactions

The transferring and processing of personal data can be an issue at various stages of a share or business sale transaction and there is a number of protections that can be implemented.

During preparation for a business sale, it is necessary for the seller to ensure that the business is ‘fit for sale’ and is data protection compliant in order to avoid issues in the future and potential litigation claims.

If the business for sale is non-compliant and risking substantial penalties under GDPR, a prudent buyer will likely take a more risk averse approach in the negotiations, thus reducing the value of the business being sold. 

Once a willing buyer and seller have been found, the heads of terms may be drafted to contain the main agreed terms. A well drafted set of heads of terms should contain appropriate non-disclosure and confidentiality clauses, which can help to control transfers of personal data beyond those with permission to process it and ensure compliance with GDPR.

It will also be helpful for both parties to include appropriate data protection provisions in their retainers or contracts with third parties and advisors.

Data protection during due diligence

Due diligence is an important process for uncovering information about the target business. Under the GDPR, processing of personal data must be lawful, fair and transparent, and a business must be able to show a legitimate interest in processing the personal data. If this cannot be shown, which is often the case in M&A transactions because of their confidential nature and lack of transparency, the consent of any individuals concerned would be needed for a buyer to process their personal data.

Again, obtaining consent is often not possible due to the commercially sensitive nature of many M&A transactions and the confidentiality obligations on the parties. Personal data that must be disclosed to the buyer before completion, due to the nature of the business being purchased, must be anonymised before being disclosed and should not identify individuals.

Preparing appropriate sale agreements

Appropriate data protection clauses must be included in any share sale or business sale agreement, and in any transitional services agreement if the seller is to continue providing services like HR to the target business for a period after completion. Agreements should contain clauses that cover the transfer of personal data from seller to buyer and warranties regarding compliance with data protection law and indemnities, in case of non-compliance.

Indemnities will protect a buyer if it is later discovered that there has been a breach of data protection laws by the seller. An indemnity will ensure the seller is still liable to pay money towards any penalty fines after completion.

Finally, it is important to remember that possession of personal data does not always include the right to use the personal data. If the value of the targeted business is connected to its possession of personal data, buyers should seek advice early on as to whether that data can in fact be used by themselves following completion.

Harrison Drury’s corporate and regulatory teams regularly advice clients on a range of data protection issues. If you require any further advice regarding data protection or business mergers and acquisitions or to seek specialist legal advice from Harrison Drury’s corporate team please contact Kerry Southworth on 01772 258321.