by Tom Allen
Find me on LinkedIn
On May 25th, 2018, the major data privacy legislation known as General Data Protection Regulation (GDPR) takes effect. GDPR introduces substantial changes to existing European Union privacy laws and provides a regulatory framework for the treatment of personal data belonging to EU citizens. Given the linkage between personal data exchange and transaction activity, teams engaged in deal making need to understand the implications to their M&A due diligence processes and transactions.
Although GDPR is a reform specifically enacted in the EU, as ZDNet reports, “...the reach of the legislation extends further than the borders of Europe itself, as companies based outside the region but with activity on 'European soil' will still need to comply.”
Broadly put, companies under GDPR are held accountable for how they handle individuals’ data. This will require improvement in existing data protection policies, impact assessments and document data processing activities. Additionally, it will increase compliance requirements for companies that have “regular and systematic monitoring” of a large-scale customer or user base – while addressing improvements in how consent is determined in offering or processing private data. Underneath GDPR, consent is closely scrutinized and becomes harder for companies to obtain. Furthermore, the framework introduces the concepts of ‘Privacy by Design’ and ‘Privacy by Default.’ The former means that minimal collection of personal data and transparency should be the default principles for companies using consumer data. The latter means that privacy settings should be fair and lawful regardless of what end users opt for.
Another major implication of GDPR is that consumers gain the right know when their data has been compromised by hack, human error or other cyber security issue without “unduly delay.”
Failure to comply with key GDPR provision can result in penalties ranging from €20 million, to up to 4% of a company's annual global revenues. The extent of fines correlate to the severity of a data breach and the preparedness of the company with respect to compliance, regulations and security.
Resulting disciplinary measures due to non-compliance will vary, with issues surrounding the rights of data subjects, unauthorized international data transfer and ignoring citizens’ data access requests, being dealt with most severely. Lower fines will be assigned for issues around data-breach reporting, privacy by design practices and data protection measures being built in existing corporate processes.
GDPR Considerations for M&A
Industry participants will quickly jump to the compliance and process activity implications of GDPR in M&A activity. Of course, there will be considerable diligence required. And for some, likely process reorientation for compliance sake. As with any disrupting legislation or activity shift, however, industry participants should look beyond the fear of financial penalties and regulatory to-do’s and consider the opportunities offered by the rule changes. Commercial law firm Simonsen Vogt Wiig (SVW) rightly highlights, “...with the right focus, businesses will not only experience a competitive advantage, but may also increase the deal value in M&A transactions.”
For M&A teams, discussed below are notable examples of how GDPR may affect future transaction experiences.
Impact on Valuation
Companies that have shown proactivity with respect to GDPR compliance should expect to command a valuation premium in the marketplace. Incorporating data protection rules and redesigning or developing processes and plans to maintain compliance is not easy. But target companies that have made strides to update legacy systems and scope cost-effective implementation plans can improve prospective buyers’ view of the company.
Conversely, companies that have lagged in preparing for GDPR represent a risk to buyers. These companies create more ‘unknowns’ around required compliance investment and planning. Further, the potential acquisition of a company that is behind in data protection can saddle an acquiring company with fault and liability should this tardiness result in a breach post deal closing.
SVW considers that the impact on valuation could play out as follows:
“We also believe that companies being accurate and strict in data processing and showing transparency towards their customers will be considered more secure and trustworthy players. These factors are likely to be emphasized by potential buyers in the valuation of target companies.”
Impact on Due Diligence Processes
GDPR requirements will add new rigor to both buy and sell-side perspectives.
On the buy-side, acquirers need develop an understanding of the type of personal data being processed and acquired by the target entity. An effective due diligence checklist should call for rigorous attention towards data acquisition, management steps and usage and storage of such data, while also verifying the existence and completeness of policies around consent. For large company targets, this will also include improved efforts to ascertain the role of the data protection officer and acquire past records on data usage and security. Deal team membership must include IT specialists and available, competent data and system resources to deliver due diligence campaigns thoroughly and effectively.
Practically, security compliance must extend to the virtual data room or another central deal-management application. Sellers will want to limit specific detail provided within initial outreach and control proprietary information access. Buyers must ensure sufficient protocol and protection measures are in place within their deal room environments. (Midaxo’s VDR solution maintains critical ISO 27001 certification, for example). Expected features to support compliance would include document permissioning, restricted functionality and the ability to audit the steps taken towards GDPR compliance.
For the most efficient approach to running your GDPR compliance, M&A software could be adopted – Midaxo's platform supports greater collaboration across teams, allows for checklists to be imported with a few clicks and provides the ability to track task progress and issue resolution in real-time.
Above: Running the GDPR Due Diligence Checklist in the Midaxo platform. Want to accelerate your due diligence process by 50%? Click here to learn more.
On the sell-side, companies need to acknowledge the focus buyers will now place on discovery and validation in the due diligence phase. To avoid compromising deal opportunities, target companies need to ensure preparation internally. Leading cyber security company NCC Group says that validation will be “...about effectiveness as much as compliance”. This means that anticipating buyer needs and being able to represent the state of GDPR compliance, data security resiliency and in-process plan effectiveness is important. Self-appraisal, before any deal conversations commence, is a helpful step. To improve pre-sale readiness, the Midaxo GDPR Due Diligence Playbook can be used.
Since buyers will be pursuing deeper operational, technical and intellectual property analysis, prospective targets should also understand how personal information relates across each of these and make these discovery initiatives as seamless as possible for buyers. All of this preparation will ultimately add to the target’s perceived competitiveness in the marketplace.
Impact on Closing & Integration
Given the significance of GDPR penalties, we can expect that deal closing activity – particularly around representation and warranties establishment – will feature new levels of vigilance. With GDPR looming, both parties to the transaction will be scrutinizing acquisition agreement language around privacy and data security. Buyers will want to know that data was collected in accordance with relevant laws and that no data restrictions or unaddressed security incidents exist. Buyers will also likely push for deeper indemnity and closing condition protections, extended limitation periods for data protection related claims and pre-closing covenants to ensure that the target moves quickly to full-compliance after acquisition.
Laurent Marville, partner at Paris-based Reinhart Marville Torre, suggests that in drafting representations and warranties “...the purchaser should insist on certain aspects of compliance”, including:
- Due respect for the rights of data subjects and the effective possibility for such data subjects to exercise those rights;
- The use of IT tools ensuring real protection of data and secure access by data subjects, meaning that the seller should give representations about the audits and inspections carried out, both in relation to the target’s own data security systems and those of its processors (if the target is the controller);
- The implementation of contractual risk mapping with all processors to limit the liability of the controller;
- The use of the compliance tools provided in the GDPR.
Upon successful deal close, integration activities may shift from what has been standard in a pre-GDPR world. Greater emphasis will be placed on short and medium term tactical activities to bolster against data protection non-compliance and resulting penalties. Areas of security transformation, risk management and governance, technical cyber security reinforcement and cyber defense planning, will be prioritized for post-merger integration. These should have been key focus points during due diligence.
GDPR should not be feared, as healthy utilization of personal data will create new standards of trust and cooperation among companies, consumers and partners. But changes will require shifts in M&A transaction activities. Deal teams need to factor the investment of time, allocation of expert resources and broad team coordination into making these post-GDPR workstreams move efficiently. Whether or not they use deal management software, the companies that will thrive in this new world will remain organized - with repeatable, well managed and centrally owned processes around all stages of deal making.