Skip to main content

Make an enquiry

    Contact Us

    Preston Office
    Tel: 01772 258321
    DX: DX 714573 Preston 14
    Fax: 01772 258227

    Garstang Office
    Tel: 01995 607950
    DX: DX 63970 Garstang
    Fax: 01995 600897

    Kendal Office
    Tel: 01539 628042
    DX: DX 714573 Preston 14

    Lancaster Office
    Tel: 01524 548967
    DX: 63502 Lancaster

    Clitheroe Office
    Tel: 01200 422264
    DX: DX 15154 Clitheroe


    Protect business data when buying or selling a business


    Solicitor Kerry Southworth and paralegal Alice Halpin, from Harrison Drury’s corporate team have partnered with regulatory team to offer guidance on data protection during merger and acquisition (M&A) transactions.

    Data protection has been a hot topic of conversation ever since the introduction of the GDPR. It has certainly been hitting the headlines ever since hefty fines were received by British Airways and Marriot earlier this year, totalling a combined figure of almost £283m.  

    Whilst the volume and value will defer extensively, all businesses will hold, use and/or process personal data relating to individuals in the UK and EU. Personal data includes customer lists, employee details and information about the general public.

    When buying or selling a business, disclosure of information about the company is an important part of the transaction. It is equally important, as the seller or buyer, that you avoid the risk of a data protection breach during disclosure.

    How to protect data during business transactions

    The transferring and processing of personal data can be an issue at various stages of a share or business sale transaction and there is a number of protections that can be implemented.

    During preparation for a business sale, it is necessary for the seller to ensure that the business is ‘fit for sale’ and is data protection compliant in order to avoid issues in the future and potential litigation claims.

    If the business for sale is non-compliant and risking substantial penalties under GDPR, a prudent buyer will likely take a more risk averse approach in the negotiations, thus reducing the value of the business being sold. 

    Once a willing buyer and seller have been found, the heads of terms may be drafted to contain the main agreed terms. A well drafted set of heads of terms should contain appropriate non-disclosure and confidentiality clauses, which can help to control transfers of personal data beyond those with permission to process it and ensure compliance with GDPR.

    It will also be helpful for both parties to include appropriate data protection provisions in their retainers or contracts with third parties and advisors.

    Data protection during due diligence

    Due diligence is an important process for uncovering information about the target business. Under the GDPR, processing of personal data must be lawful, fair and transparent, and a business must be able to show a legitimate interest in processing the personal data. If this cannot be shown, which is often the case in M&A transactions because of their confidential nature and lack of transparency, the consent of any individuals concerned would be needed for a buyer to process their personal data.

    Again, obtaining consent is often not possible due to the commercially sensitive nature of many M&A transactions and the confidentiality obligations on the parties. Personal data that must be disclosed to the buyer before completion, due to the nature of the business being purchased, must be anonymised before being disclosed and should not identify individuals.

    Preparing appropriate sale agreements

    Appropriate data protection clauses must be included in any share sale or business sale agreement, and in any transitional services agreement if the seller is to continue providing services like HR to the target business for a period after completion. Agreements should contain clauses that cover the transfer of personal data from seller to buyer and warranties regarding compliance with data protection law and indemnities, in case of non-compliance.

    Indemnities will protect a buyer if it is later discovered that there has been a breach of data protection laws by the seller. An indemnity will ensure the seller is still liable to pay money towards any penalty fines after completion.

    Finally, it is important to remember that possession of personal data does not always include the right to use the personal data. If the value of the targeted business is connected to its possession of personal data, buyers should seek advice early on as to whether that data can in fact be used by themselves following completion.

    Harrison Drury’s corporate and regulatory teams regularly advice clients on a range of data protection issues. If you require any further advice regarding data protection or business mergers and acquisitions or to seek specialist legal advice from Harrison Drury’s corporate team please contact Kerry Southworth on 01772 258321.

    Questions & Answers

    Leave a Comment

    Leave a comment

    Your email address will not be published. Required fields are marked *


    Manage your privacy

    How we handle your personal data

    The General Data Protection Regulation (GDPR) gives you more control over how companies like ours use your personal information and makes it quicker and easier for you to check and update the information we hold about you.

    As part of our service to you, we will continue to collect, use, store and share your data safely and securely. This doesn’t require any action on your part.

    For more detailed information view our Privacy Hub