Due diligence in M&A for data protection and GDPR

• Data protection and GDPR considerations in M&A diligence.
• Why privacy risk belongs in the data room conversation.

The compliance lens on what flows through a deal's data room.

In this episode of Life with GDPR, Jonathan Armstrong and I take up due diligence in an M&A transaction from the data privacy perspective.

What is GDPR?

And more importantly, how does it impact you and your company?

Join internationally known data privacy data protection expert Jonathan Armstrong and Tom Fox, the compliance evangelist, to learn more about the burgeoning world of data privacy and data protection.

.

After listening to this episode, you'll walk away with a greater understanding of what this means for you and your organization.

Life with GDPR is a production of the Compliance Podcast Network.

some others that have come up this summer.

So, Jonathan, you look tanned, refreshed.

So, welcome back.

Thanks very much.

Good to be back.

Jonathan, you guys have posted on the quarterly website a client alert around data protection due diligence in transactions, FAQs.

And I found it to be a great resource for not only some basic concepts, but also really to help compliance practitioners and data protection practitioners take a deep dive into some issues.

So I was wondering if we might be able just to explore what you guys are hearing in terms of questions and what responses you're giving.

Yeah, sure.

Happy to.

I think all of our listeners will recall the Marriott case where data protection, or excuse me, a M&A transaction led to data protection fine and penalty.

So could I start off by asking you, what is meant by data protection .

I think you're right that it's an increasingly important topic.

And it's, in some respects, both yin and yang.

The Marriott Starwood transaction tells us the importance of getting it right from a what happens if you don't point of view, as you said, 18.

4 million sterling fine for a data breach, which should have discovered on due diligence.

But there's also a yang as well, in that we're finding that many organisations who do thorough due diligence on acquisition can spot an issue, and then sometimes they have the ability to reduce the purchase price as a result.

And we know that compliance pays a big part in the value of a these days.

Just before 9-11, I acted for an organization that was about to buy a travel agency business.

They couldn't give us persuasive answers on data protection due diligence, and they were still thinking through their answers when the torrid events of 9-11 unfolded.

from the transaction, a transaction it didn't want to complete with the downtick in travel after 9-11.

So, I think due diligence and data protection due diligence has always been important.

And I think it's assumed a bigger importance recently, particularly with private equity playing a lot in this market and a lot of astute private equity businesses being very is very thorough with their due diligence, both when they're about to dispose and when they're about to acquire.

Jonathan, with many things GDPR-related, would it be a fair assessment to say that this area is still evolving from both the regulatory aspect of what regulators are expecting and the enforcement aspect?

I think you're right.

I think enforcement is definitely a work in progress.

.

Recently, we've had some very large headline fines, but I think that that whole system is still yet to reach maturity, particularly with a number of appeals being heard, you know, doorstep dispensary being the most recent successful appeal in the UK in reducing the penalty, and both in terms of regulators finding their feet in how they're using their powers.

And obviously, , there's the potential for fines to be very large.

We haven't seen that yet as a percentage of revenue.

But theoretically, because of the complexities of Brexit, fines could be up to 4%, 5%, 6%, 7% of global annual revenue.

So that, as a result, I think, means that the market is settling down in terms of problems.

But additionally, I think there is a lack of maturity in the questions that are being answered and the answers that are being given.

And that's not just a lawyer-to-lawyer thing.

I think I know from my experience that some CISOs, for example, take the due diligence process more seriously than others.

You know, we've had a CISO , he said, we passed a due diligence questionnaire.

Answer, have you had any data breaches with no?

And then when we said to him, well, you have had this one and this one and this one, he said, well, I only listed data breaches I didn't think I could handle.

But that wasn't the question he was asked.

And so we do have a sort of lack of maturity, I think, in some of the process as well.

And to state the obvious, it's relevant in every single transaction.

It won't just be B2B transactions where this becomes relevant.

Employee data is key.

Employees are being much more aggressive in 2021 than they were in 2020, particularly when there's a transaction and particularly when they think that they might lose out.

Jonathan, where do you suggest a company begin or perhaps , what are the first steps you might suggest?

I think, and I would say this, wouldn't I, that they'll need to speak with counsel who are experienced in this area.

That may or may not be your existing deal counsel.

And then if you're acting for the seller, it would be a good idea to look at the type of questions that the acquirer is likely to ask you.

for the seller.

the type of questions that would be asked and get all of the missing gaps filled.

So, and obviously the obverse is true.

If you're acting for somebody who's acquiring or investing in a business, then you want to think through the questions that you want to ask.

And they might be questions such as, if you're a seller, where's the personal data?

Where does it live?

GDPR things called article 30 records could help with that if they're complete.

But for many organizations, we found that going to a transaction without that Article 30 record being complete.

You might want to check your privacy policies are up to date and adequate.

You might want to include something technically called a toy smart notice that will enable you to have more power to pass the data on in the transaction.

You'll need to look at the lawful basis for processing data.

So that's things like consent, , legitimate interest, et cetera.

You'll need to look at potentially data protection impact assessment, particularly if you're providing data to the other side.

You'll need to look at how you're going to deal with subject access request data, subject rights, et cetera.

And then you might need to look at ways in which you can protect personal data.

We do know from cases like Morrisons, for example, in the UK, .

Sometimes when accountancy firms get involved, they're very demanding in terms of details of payroll, et cetera.

That's hard to be justifiable.

So you'll need to look at things like making sure you're only responding with the data that's needed, looking at redaction, anonymization, pseudonymization, and perhaps moderating requests.

.

, the warranties that you're going to ask for in the agreement, looking at how you're going to seamlessly integrate your system and theirs, and importantly, because of Marriott and Starwood, getting very forensic on latent problems in the technology of the asset you're buying or investing in.

Jonathan, I think every practitioner in the business world, who has ever been involved in an M&A deal is aware of a data room.

And it's become even more important, certainly in the era of COVID-19, does the data room provide its own risks that need to be managed from the data protection perspective?

Yes, it does.

And we have seen cases where there have been data room issues, one of them involving a large U.

S.

firm where alerts were sent out of the data room to the wrong people.

people and multiple uh um multiple potential acquirers will send each other's data which affected value etc etc so the data room is fraught with potential nightmares and obviously it's a dream target for a hacker because all of the corporations crown jewels are probably there and they may be less secure in the data room than they are in the 's own systems.

I think people don't look forensically at who is hosting the data room, who has access, what ability they have to export data from the data room, et cetera, et cetera.

And that does need proper scrutiny.

So you have to do due diligence on the data room provider, even if it is your accountants.

You have to make sure that you've got a proper data processing agreement in place with that organization.

, have skin in the game to ensure that they'll keep that data secure.

You'll need to look at access rights.

So if the tax specialists need tax data, enable the access rights so that they can get the tax-related documents, but not other documents.

There should be appropriate non-disclosure agreements.

You should, as I've said, look at data minimization.

What's the minimum data set that we need to do the transaction and only put that data into the data room, look particularly at sensitive or special category data.

So things like health records, sickness records.

And as we said already, where possible, pseudonymize data, redact it or anonymize it if you can.

Oftentimes data isn't useful in a transaction if it's truly anonymized, but there could be occasions when that is possible, at least as a first cut.

You know, for example, is the acquirer interested in how many customer complaints you've had rather than the nature of those complaints.

And if it's just an absolute number, put the absolute number in, not the full record of all of the complaints you've ever had since Adam was a boy.

Let me turn to the buyer now.

What are some of the key questions you advocate a buyer ask or use in the due diligence process?

process?

One of the most simple is are there any data protection registrations needed?

And of the fees being paid, we had such a case where, believe it or not, a household name entity had forgotten to renew its annual registration with the UK Information Commissioner.

You can quite often recover that, but if you can't, there are potential issues, not only in terms of the potential , which is relatively trivial, but also because there's an argument that data has to be destroyed if it's been obtained unlawfully.

So a bit of an obscure one to start with, but we found that that's very easy to check and very consequential if that's not been done properly.

Then you might want to look at who the target is processing data on.

That might be employees, customers, suppliers, job applicants.

.

Do they understand what they're processing?

Have they got, as we said, there's Article 30 records, which might be able to show you that in tabular format?

Do they have proper data protection notices?

Do they have proper systems for dealing with subject access requests?

Do the data protection notices allow you the flexibility to pass data on?

So we've got a transaction at the moment where a client is at a German entity and their data protection policy just isn't helpful.

It says, you know, we will never share your data even if we are acquired.

Now, that obviously substantially goes to the value of the target unless they can fix that prior to the transaction completing.

Obviously, you'll need to ask about data breaches.

You'll need to look at technical and organizational measures.

You'll need to particularly look at things like outsourcing.

.

So, if they have a critical supplier who hosts all of their customer data, what terms has that deal been done under?

You'll need to look at things like data transfer, particularly post-shroms, because there's a lot of litigation in that area.

Things like cookies, again, because there's a lot of litigation.

Ask them questions whether they've been threatened with data protection litigation, particularly class actions, and look at things , like cyber insurance as well.

So the list could probably be 100 questions long, but you'll get a general sense of what we're thinking.

So, Jonathan, what about reps and warranties?

Obviously, every deal is going to have a list of reps and warranties.

Can or should data protection reps and warranties be included?

And once again, I think we have to point back to Marriott and Starwood.

Is that one of the key lessons learned from that enforcement action?

.

I think it is.

I think you need to do proper due diligence.

But there are still things that you won't know and you may not be able to find out through that exercise.

So you need to look at proper reps and warranties.

Absolutely.

You need, for example, a warranty that data has been handled in accordance with the seller's policies.

You know, I know you've talked about it many times.

.

Organizations like Enron had gold standard policies, but they didn't follow them.

So somebody will need to have their hands held to the flame, I think, to say that these policies weren't just window dressing, but this is what we followed.

So I think reps and warranties are important.

And again, that's likely to be the process of some careful drafting and in many cases, I think, skilled negotiation.

.

Jonathan, I'd now like to move to completion and either post-completion or post-acquisition integration.

So typically in the compliance world, if you performed adequate due diligence and then in the post-acquisition phase when it's now your company and you have full access to the data, you have some ability to stop any nefarious conduct and remediate on a timely basis.

Is that true from the data protection world?

are, or is it different so that from day one you can be held liable for violations which perhaps started before but are still going on after closing?

Yeah, I think you can be held liable certainly from day one, and I think in many cases possibly from day minus one.

And why I say that is because there are various transparency obligations in GDPR, and you may need to ensure that those transparency obligations are met to data being handed over to you.

So oftentimes the best cause is for the seller to advise their customers or their employees of the sale prior to completion and to say that when we complete data is going to be shared with the acquirer.

And obviously you can finesse that language.

It's very important for other reasons is very important.

and looking at technical and organizational measures.

So for example, in Marriott and Starwood, we know that there was an issue with a legacy system.

Quite often in a corporate transaction, you may be acquiring a legacy technology system, but you may not be acquiring key personnel who know how to run it and how to secure it.

So either you've got to move on to your platform as soon as possible, or you've got to work out a way of and keeping that legacy system secure whilst you arrange to do the integration and that will involve both technical and organizational measures that might mean that you have to hire at least on an interim basis some of the sellers staff maybe on a consultancy basis to keep the wheels moving and to keep those wheels secure and then the other thing that you'll have to look at is all of those transparency obligations.

So how do you look after the employees that you've acquired?

How do you look after the customers that you've acquired?

Do you want to align your privacy policies?

Do you want to align your cookies policies?

Are you going to merge websites?

So all of that will need to be thought through, particularly in these days when many organizations are trying to consolidate email services in Outlook 365 and consolidate hosting in AWS or Microsoft Azure.

If that is the plan that you've got post-completion, then you'll have to meet transparency obligations to be able to do that safely.

Jonathan, one of the phrases I came across in researching for this podcast was a tube, T-U-B-E.

is a new wave band, the tubes.

This is something very different.

And so I wanted to maybe conclude with your thoughts on the importance of the tube, what it is, and how a data protection compliance professional can ensure compliance with this unique regulatory scheme.

Yes.

So tube transfers are when we change the ownership of an organization, .

We come within EU rules, which have been mirrored in the UK, on moving those employees across.

And in simplified terms, the employees can't lose out.

So they come over to the acquiring entity under the same terms as they previously enjoyed at the acquired entity.

And that obviously could include data protection, promises as well.

For example, if you're involved in an investigation, it's very difficult to conduct an investigation into an employee's private emails versus another jurisdiction like the U.

S.

And practices could be inherited from the organization that you're buying from.

And again, the Chupy rules are incredibly complex.

, or visit us on Twitter, at Cordray UK and I'm sure they'll find the information they're seeking if not reach out we'll be there hello everyone this is Tom Fox thanks for listening to this episode of live with GDPR I'm going to link to the Cordray compliance client alert so you can get additional information from both Cordray and Jonathan in that client alert I'd like to take a minute to tell you about a podcast series that I'm running it's a very personal podcast series , where I take a look back at 9-11, both the day of 9-11 and 20 years later, as this year's the 20th anniversary of 9-11.

The fall of Afghanistan and Kabul, this series is even more poignant.

In this series, I talk to six individuals whose lives were directly impacted by 9-11, and they're generally in the compliance space, .

is the C-Suite Radio Network.

For more top business podcasts, visit c-suiteradio.

com.