GDPR and the effects on the M&A process
We are currently seeing that the EU’s General Data Protection Regulation (GDPR) has become a major factor in mergers and acquisition (M&A) transactions, adding complexity to the due diligence process and sometimes even causing deals to have issues.
The GDPR regulations came into effect in May 2018 this required companies to strengthen their data protection policies and processes. This has led to the possibility of very high fines of up to 4% of annual global turnover or €20 million – whichever is greater – they have been introduced for organisations that infringe its requirements. While most companies, after 8 months of this new regime, now understand the requirements of GDPR in respect of the operation of their own businesses, the more complex implications of these privacy laws are still unfolding.
The M&A market is one sector where much of this added complexity is playing out. In short, GDPR obligations apply to all organisations that collect or use personal data (i.e. data of “natural persons”). Most target companies would, by virtue of handling information on suppliers, customers or employees, fall within this category and therefore trigger potential GDPR exposure for the acquiring party. The hefty fines for GDPR breaches necessitate that these responsibilities are viewed seriously.
Data security has therefore quickly become a top priority of the due diligence process and suggestions are that the GDPR impact on M&A due diligence will, over the next five years, cause even greater scrutiny of data protection policies and process of target companies by potential acquirers.
A survey of 500+ M&A practitioners across Europe, the Middle East and Africa (EMEA) by Euromoney shows that 55% of respondents had worked on M&A transactions that had not progressed because of concerns around a target company’s data protection and compliance with GDPR. The share was significantly higher in Germany (more than 70%), in the Nordics (more than 65%) and in the UK (more than 60%).
A common difficulty in the due diligence process is that companies believe they are GDPR compliant when they are not.
Instead of calling off a deal because of GDPR-related concerns, many companies decide to invest in the target company’s data security standards. Sums can range from £1-£4 million depending on the targeted company’s size and the offer price can be adjusted accordingly. A common difficulty in the due diligence process is that companies believe they are GDPR compliant when they are not, particularly in relation to underlying contracts and relationships with customers.
Robust corporate privacy policies are an essential element to ensure smooth M&A transactions and the absence of or lack of substance in such policies can be a critical factor in the negotiation process. The implications range from the valuation of a target company and the acquirer’s acquisition strategy, to the due diligence and post-acquisition integration process. A well-drafted M&A agreement will address these privacy issues with comprehensive representations and warranties that apply throughout the due diligence process and extend to the integration of data after the transaction has closed. GDPR responsibilities will be identified in relation to every person who processes or otherwise handles personal data: as different roles have different legal obligations, it is vital that this is fully understood.
During the due diligence process the vendor has the opportunity to disclose the extent to which the company is GDPR compliant, including details of any known data breaches. Incidentally, many businesses will have additional obligations under third party commercial contracts in relation to confidential information and it is crucial that such responsibilities are not “glossed over” in the rush to ensure GDPR compliance alone, otherwise the vendor could be opening itself up to breach of contract allegations. Full disclosure will be sought by the acquirer’s representatives and any privacy concerns will be able to be canvassed in full and subjected to a full assessment.
While complex and time consuming, the due diligence process is obviously essential in any M&A transaction. The full impact of all things GDPR-related must be understood as part of this process to avoid negative surprises later on. Without appropriate recognition of the risks and sufficient protective measures being put in place, data breach issues may become apparent only after a deal has been completed resulting in lengthy and expensive exposure and consequent litigation.