Data-driven business models

Selling a European company? What you need to know about data privacy due diligence

Published on 24th Jan 2023

In a potential sale or investment, a company's data privacy practices can either improve a company's negotiating position or jeopardize the transaction altogether: preparation is essential 

Legal due diligence is the process undertaken by a potential buyer or investor to understand what legal risks are associated with a prospective company. The potential buyer or investor wants to understand what could end up exposing them to large pay-outs down the line. Data privacy due diligence specifically looks at the company's potential risk of liability due to its data privacy compliance practices.

When a buyer's or investor's lawyers see that there are flaws in a company's data privacy program, they are likely to want the sellers to take on a greater amount of the risk. They might even seek an indemnity in the contract (which means the company would need to pay them for a particular risk on a pound-for-pound basis if it ever ended up costing the buyer after the transaction completed).

Where due diligence is undertaken for insurance purposes, poor data compliance could lead to higher premiums or to the insurance company refusing to provide the insurance altogether.

This level of examination on the company's data privacy compliance program might come as a surprise to some companies, especially those who are new to the UK or EU data protection regimes and are perhaps expanding their company portfolio for the first time, but there are measures that can be taken by businesses to help prepare for this process.

Review and update data privacy documents

The due diligence process will require the selling company to provide a number of documents to demonstrate its compliance with data privacy laws. While this does not show the sellers or investors that the company complies with every aspect of data privacy law, they are often a sample that are designed to provide a buyer with a good insight of the company's data privacy compliance program.

These documents generally include, but are not limited to, internal privacy policies (such as staff privacy policies), external privacy notices (for example, the website privacy notice), the records of processing, evidence of staff training, breach reports and a data breach procedure. Gathering these documents and reviewing whether they are adequate for legal requirements in advance is likely to make the due diligence process easier.

Check and gather any complaints

It is never a good thing to have to disclose data privacy complaints to a potential buyer, however, being aware of them and thinking about how to bring them up in a due diligence process is better than having them uncovered late in the process.

Where there are complaints, the buyer's lawyers will ask the sellers to make warranties to say that there are no active complaints other than those disclosed. If complaints are disclosed early, a seller can still improve its selling position by preparing evidence of what caused the complaint and what actions were taken afterwards to reduce the risk of the complaint repeating itself.

Review and check the data breach register is up to date

The company's internal data breach register is a lot less serious than complaints, but the buyer's lawyers will want to see it to understand the breaches that have occurred.

Perhaps counter-intuitively, it is often a bad sign if no breaches are recorded. This is because any large company is likely to have a number of small breaches: such as an employee leaving their phone on the train, or sending an email to a wrong person. Having these small incidents recorded shows that the company takes its data privacy duties seriously and it is even better if the register includes reports showing follow-up actions to help prevent similar breaches in the future.

Data sharing terms in vendor contracts

As well as reviewing the commercial risks in vendor/supplier agreements, due diligence is also likely to involve reviewing whether the data privacy terms in these agreements are up to date with current legal requirements and whether they look appropriate for the kind of data sharing envisaged under the contracts.

If there is an international transfer of personal data, these agreements will also need an up-to-date international transfer mechanism such as standard contractual clauses. This is an area of law which has undergone a lot of changes in the last few years so, if in any doubt, it is worth checking these are meeting requirements before a due diligence process commences.

Direct marketing activities

This is a high risk area, especially if the company has ever bought data sets for the purpose of sending marketing emails. Buying data sets is considered high risk because it is very hard to show that bought data sets follow legal requirements in the UK or EU.

Where the company sends marketing information, it also needs to be ready to show records of specific consents for the marketing activities. In addition, using sensitive information for marketing (for instance, if the company is advertising to children or using any special category data) can also be a red flag in a transaction.

If a company is concerned that its marketing practices may not meet data privacy requirements, it should review them as soon as possible, since this area can attract weighty regulator fines. 

Osborne Clarke comment

Data privacy due diligence is an important aspect of a company transaction. It can show that the company is on top of its compliance, understands its risks and takes steps to mitigate them, or it can show that the company is not taking this area of law seriously and could be a ticking time bomb for complaints and fines. Whether a company is the former or the latter can drastically improve or hinder its negotiation position in a sale, investment or insurance purchase.

Finding issues or holes within a company's data privacy program during a due diligence process can also be very stressful for the parties involved. The sellers want the deal to go through and will have limited time to resolve the issues. But there is no reason to leave it that late. If a company is expecting to have its documents and procedures under review in the near future, it can prepare in advance with legal support, giving it sufficient time to take the necessary steps to remedy any issues and which may ultimately improve its position in any future potential transaction. 

If you would like to discuss any of the issues raised in this Insight, please speak to your usual Osborne Clarke contact, or one of the experts listed below.
 

Follow
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up
Related articles
Buying a company in the UK or EU? How buyers and investors can protect themselves against data privacy risks
26/01/2023 5 mins
Five more data protection actions for US companies planning to expand overseas
14/09/2022 3 mins
How to prepare for data protection laws when expanding internationally: five of 10 top tips
07/09/2022 4 mins
Podcast | Data-driven business models: the role of legal teams in delivering success – Panel discussion
26/07/2022

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up