‘Evolution, not revolution’: Understanding the relevance of the GDPR in the M&A context

Elizabeth Huang

In May 2018, the General Data Protection Regulation (GDPR) came into force, replacing the 1995 Data Protection Directive. Since then, you have probably found yourself bombarded with e-mails from businesses alerting you to their shiny new privacy policies and politely (or desperately) requesting permission to use your data. What does it all mean? Does it matter? This article hopes to answer these questions, using mergers and acquisitions (M&A) as a case study to indicate some of the commercial implications of the new regulations.

Let’s start with the basics: the GDPR is designed to harmonise data privacy laws across Europe, strengthen the data privacy rights afforded to individuals and improve compliance and accountability with data privacy regulations. In the UK, the regulations are incorporated into UK law by the Data Protection Act 2018 (the DPA 2018), which will remain in force post-Brexit as a piece of native legislation. The GDPR focuses on personal data, defining it as "any information relating to an identified or identifiable natural person. A person is identifiable if they "can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art 4(1)).

Elizabeth Denham, the UK Information Commissioner, has commented that the GDPR represents “an evolution, not a revolution”: the key changes generally represent development and expansion of existing provisions, guided by the overarching themes of improved protection for individuals and improved accountability for organisations 1. One group of changes regard the scope and operation of the provisions 2.Unlike the previous directive, the application of the GDPR is determined by the location of the data subjects – thus it applies even to businesses outside the EU offering goods or services to, or monitoring the behaviour of, individuals within the EU. The GDPR also introduces a requirement of “unambiguous”, or in some cases, “explicit” consent of the data subject to collection and use of personal data (explaining the barrage of data protection communications piling up in inboxes). These new requirements, which impose direct obligations on data processors, are backed up by beefed-up sanctions, including competition-style fines of up to 4% of annual worldwide turnover or 20 million euros, whichever is highest.

In addition, the GDPR introduces important new concepts into data protection, such as a principle of accountability, privacy “by design and default”, and a number of new or codified rights for individuals. The principle of accountability requires data controllers to demonstrate compliance with the six principles set out in Article 5(1):

(a) lawfulness, fairness and transparency;
(b) purpose limitation- personal data shall be collected for specified, explicit and legitimate purposes;
(c) data minimisation - imposes a ‘what is necessary’ limitation;
(d) accuracy;
(e) storage limitation; and
(f) integrity and confidentiality.

Privacy by design and defaultrequires that privacy impact assessments be used at the outset of certain projects and that organisations have built in compliance measures in its online tools and systems. New rights for individuals include a right of data access, right of data portability (a right to have a copy of one’s personal data provided, free of charge) and the controversial right to erasure (also known as a ‘right to be forgotten’), which was litigated recently in Google Spain3.

A note on Brexit: when the UK leaves the EU, it will become a ‘third country’ for the purposes of personal data transfers to and from the EU. The UK will need to demonstrate to the European Commission that it can provide an adequate i.e. equivalent level of protection for personal data being processed in the UK. In addition, the UK will no longer be a party to the US-EU Privacy Shield Framework, and the UK will need to enter into some kind of alternative agreement with the US.

A case study: implications for the M&A context

To understand the implications of the GDPR from a commercial perspective, it is helpful to explore the issue through the lens of an M&A deal, which typically involves complex arrangements for the sharing of vast quantities of highly-sensitive data. Ensuring compliance is a particularly important issue on companies’ radar, given the significantly tougher penalties for non-compliance under the GDPR. As a result, data privacy, previously perhaps a less important issue in the minds of lawyers involved in M&A, now needs to be considered as part of risk evaluation and, more generally, the M&A process itself.Data-sharing in the M&A context is permitted by the GDPR under the “legitimate interests” ground (Art 6(1)(f)), which can be established via a three-part test: (1) purpose: are you pursuing a legitimate interest?; (2) necessity: is the data processing necessary to achieve the purpose?; and (3) balance: do the interests of individuals override the legitimate interest4? Potential GDPR issues may arise at several stages of the M&A deal cycle.

Target selection and valuation

Although the full effect is yet to be seen, it is clear that industries which depend heavily on the collection and analysis of personal data will need to respond quickly and effectively to the requirements posed by the GDPR if they are to fulfil its requirements. The possibility of heavy fines imposed for non-compliance means that the risk of acquiring companies operating in data-dependent sectors e.g. telecoms, marketing, insurance, retail etc. may increase. Companies in those sectors, however, which can demonstrate clear compliance with the GDPR will be more attractive to potential buyers – perhaps enjoying a ‘compliance premium’ as the compliance cost of acquisition will be decreased. Potential buyers will want to conduct a ‘gap analysis’ (examining the company’s current level of compliance and the required level of compliance) to identify how robust a company’s GDPR compliance is5.

Due diligence

While the GDPR raises issues for companies, it also imposes requirements for any data sharing that may take place within the context of deal negotiations and due diligence inquiries. Where a virtual data room is being used, any sharing of data will itself need to comply with the GDPR, keeping in mind its core principles. In terms of the contentof due diligence inquiries, more attention will need to be paid to the company’s data protection policies and infrastructure, and any data privacy risk areas identified, particularly where the target may already have accrued data protection liabilities. The increased incentives to ensure compliance may lead to the emergence of specialised digital due diligence processes6.

Structuring the deal

Given the size of potential fines, acquiring parties may want to include data protection warranties or indemnities within the agreement. Provisions may need to be made for a timeline governing the storage and disposal of data exchanged during, or as part of, the deal in line with storage limitation principles. A market may emerge for specialist GDPR or cybersecurity experts, who may be able to assist with the technical details of data protection compliance.

Post-deal integration

Following the completion of a deal, companies will need to make sure that any data acquired is stored, used and integrated in a way which is compatible with GDPR requirements – this requires that the acquiring company has ensured that its own policies and practices are sufficiently robust. This requires a forward-thinking and pre-emptive approach - that is, to adopt a GDPR compliance strategy even before investigations are made into acquiring potential target companies.

Although the GDPR evidently imposes a number of new and complex requirements on companies, with appropriate preparation and consideration, these challenges can be met relatively straightforwardly. Companies which move quickly to adapt their policies and processes will enjoy a first mover advantage, so adopting a sensible strategy should be a matter of priority. This case study indicates the interrelationship between the businesses and the regulatory framework within which they must operate. While legislation may seem dry and technical, it often has significant ripple effects in the commercial world – one of the key roles of commercial lawyers is to advise their clients on how to respond and adapt to new regulatory requirements. This is something to keep in mind when you are preparing applications and reading business news – ask yourself: how might new legislation affect business decision-making and behaviour?

  1. Burgess, Matt. ‘What is GDPR? The summary guide to GDPR compliance in the UK’. Wired, 4 October 2018, https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
  2. ‘Key facts on the GDPR’. Slaughter and May, https://www.slaughterandmay.com/media/2535257/key-facts-on-the-gdpr.pdf. Accessed 3 October 2018.
  3. Google Spain v AEPD and Mario Costeja González(Case C-131/12) ECLI:EU:C:2014:317
  4. ‘Legitimate interests’. Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/. Accessed 3 October 2018.
  5. ‘Talking point: GDPR due diligence in M&A’. Financier Worldwide, https://www.financierworldwide.com/gdpr-due-diligence-in-ma/. Accessed 3 October 2018.
  6. Ibid.