Buying a company in the UK or EU? How buyers and investors can protect themselves against data privacy risks

A review of a company's data privacy documents is usually a critical part of due diligence, as any seasoned buyer will be aware. However, what that buyer does with that information is key to protecting its interest in the company and finances in the deal beyond completion. For a more in-depth look at what data privacy due diligence involves from the seller's perspective, see our Insight. 

Where buyers are new to the UK or EU market, they need to understand the risks that are associated with a company failing to comply with data privacy laws. The financial risks can be large (4% of worldwide turnover for breach of the General Data Privacy Regulation (GDPR) or €20 million /£17.5 million) as well as reputational risks. There are other types of digital regulations at play depending on the activities of the company and these fines and regulatory actions can compound. 

So what can a buyer do to protect itself when buying or investing in the UK /EU company? 

Review data privacy documents

Data privacy due diligence often involves the review of a sample of the target company's documents to demonstrate its compliance with data privacy laws (for example, data privacy policies, breach procedures, records of processing). While this does not guarantee that the company complies with every aspect of data privacy law, these documents are treated as an indicator to provide a buyer with a good insight of the company's data privacy compliance program. 

But what can buyers or investors do if these documents are not up to standard? Depending on the timing of the deal or the negotiation position of the parties, there are several options to consider here. One option is to ask the company to update its documents before the deal completes. However, since these are only a sample of documents, where these are not compliant with data privacy laws, it can be a sign that the company is failing to meet some of its other compliance needs. 

In this situation, the buyer would want to ask for warranties made in the sale or investment agreement that the sellers are complying with their data privacy legal  obligations. This gives legal recourse to the buyer/investor if they uncover other areas of the company where it is not complying with these laws. 

If the buyer suspects that the deficiencies are serious enough, it may even want to push for an indemnity. An indemnity is stronger than a warranty since it shifts the risk on the seller: if an identified data privacy event occurs, it would require the seller to pay the buyer for any loss caused by that event on a pound-for-pound basis. 

Check and gather any complaints

It is never a good thing to uncover that data privacy complaints have been made against a prospective company that a buyer wishes to purchase or invest in. It is important to get some further context in order to evaluate what impact this risk has on a potential transaction. For example, did the company suffer any losses (either by claims or regulator actions) and has the company implemented changes since the complaint? If the company has made significant changes since then, this may indicate that there is a much lower risk of this complaint occurring again. 

If the complaint is recent, a buyer will still want to understand how it is being handled, but may have further questions about the processes and procedures of the company which caused it to arise (lawyers will often be the guide on this). 

While it is possible to put in place other warranties and indemnities to provide some contractual protection for the buyer in the transaction, a current complaint or regulator action may require something more involved (such as some sort of claw-back or deferred payment if the complaint could affect the value of the company). Ultimately, the buyer will need to consider what options are available to them in order for them to pursue the transaction. In addition, the buyer will want to consider the impact of any reputational risks to the company and whether they are comfortable to proceed.

Review and check the data breach register is up to date 

Unlike actual complaints made against the company, seeing entries made on a company's data breach register is a lot less serious. Perhaps counter-intuitively, it can be a good sign to see some entries, since most companies are likely to experience some minor breaches (someone sending an email to the wrong person, or leaving a phone on the train) and seeing entries like this means that a company is taking its data privacy duties seriously by recording these incidents.

Depending on the types of entries, the buyer may still want to make further enquiries, since it may mean that policies and procedures need changing after completion. The buyer will also want warranties to show that the breach register is up to date and complete in order to provide contractual protection should any hidden risks emerge after the company transaction. 

Data sharing terms in vendor contracts

As well as reviewing the commercial risks in vendor/supplier agreements, a buyer will also want to review whether the data privacy terms in these agreements are up to date with current legal requirements and whether they look appropriate for the kind of data sharing envisaged under the contracts. 

If there is an international transfer of personal data, the buyer will need to be especially careful, since this an area of law which has undergone a lot of change in the last few years. 

Depending on the findings in the due diligence process, the buyer may want to push for warranties (or in some circumstances, even indemnities) that there has been no breach by the suppliers or vendors that could put the company at risk of complaints, claims or fines. After completion, the buyer or purchaser may also wish to consider changing some of the suppliers or vendors where contracts allow for this.  

Direct marketing activities

This is a high-risk area, especially if the company has ever bought data sets for the purpose of sending marketing emails. Buying data sets is considered high risk because it is very hard to show that bought data sets follow legal requirements in the UK or EU. Buyers or investors will want to know if the company holds appropriate and specific consents for direct marketing activities. The UK regulator has recently issues some new guidance in this area. 

Where the company does not hold appropriate consents, or if a buyer is concerned that the company's direct marketing practices could be putting the company at significant risk of receiving complaints, then the buyer is likely to want to consider its options. This could mean warranties and indemnities in the transaction agreement to cover any complaints or losses that occur due the marketing activities undertaken by the seller. In addition, a buyer may wish to review the company's marketing activities soon after completion of the transaction to minimize future risks. 

Osborne Clarke comment

For a buyer who is new to the UK or EU market, the emphasis on data privacy risks may be a new aspect of a company purchase to consider. However, provided that the buyer is thorough with its due diligence exercise, it should have all the information it requires to make informed decisions about how to minimise risk and exposure in its investment or purchase.