26 November, 2018
What does the coming into force of the Data Protection Act 2018 and General Data Protection Regulation (GDPR) mean for those in the Mergers & Acquisitions world carrying out due diligence? Does it require change for the way in which the sheer amount of data is shared?
The due diligence process prior to the GDPR already required a duty to protect personal data, under the Data Protection Act 1998. However, with the GDPR and Data Protection Act 2018 imposing stricter sanctions for non-compliance it seems essential now more than ever, that personal data is processed and disclosed correctly in accordance with the regulatory requirements.
What is Personal Data?
Personal data is information that identifies and relates to natural, living persons. This is broader than simply lists of names or photographs, and includes when various pieces information are combined with other information and the identification is indirect - a potential scenario for any organisation that holds and processes a large amount of data. One thing that is often overlooked is that email addresses of individuals that include their names (e.g. firstname.lastname@example.org) constitute personal data, and so are covered by the regulations.
Some personal data is granted extra protection under GDPR, known as special category data, as this is more sensitive personal data such as, but not limited to, a person's race, ethnic origin or religion. If your organisation does need to share either type of personal data, we shall explore how you can do so under the current legislation.
Sharing personal data
The first thing to consider regarding personal data in any merger or acquisition is do you actually need to disclose any in the first place? Data Minimisation is one of the key principles under GDPR, and it essentially means that you should only use the personal data you need to use and no more.
Most transactions will be between companies therefore the need to share any personal data during due diligence will, for the most part, be minimal. This will of course vary on a case by case basis, for instance a media representation company may be acquired due to its client list, and any individual (as opposed to corporate) clients' information will therefore be personal data. Generally speaking, however, does a prospective buyer need to know the names and ethnicities of each of the target company's employees, or will their job titles and salaries suffice? Further still, does every member of the due diligence team need to have access to all of the personal data, or can access be restricted to those people who have a need to know the information for due diligence purposes?
If you do need to share information about individual employees, clients or customers, does the prospective buyer need to be able to identify those individuals, or can anonymised or pseudonymised data be shared instead? Where you are unable to identify living individuals from data sets, those data sets do not constitute personal data and, therefore, GDPR and the Data Protection Act 2018 do not bite.
Both the target company and the potential buyer will be acting as data controllers in their own right and therefore, if you do need to disclose any personal data, you will each need to identify a lawful basis to justify this, and to comply with your obligations generally (see further below).
Lawful Basis for Processing 'normal' Personal Data
In order to process personal data, e.g. by sharing it with a potential buyer, an organisation must identify at least one lawful basis to do so as laid out in Article 6, GDPR. The article 6 bases most likely to be applicable to any disclosure of personal data in M&A due diligence would be:
There are many circumstances in which you are legally required to disclose personal data. For example, names and other personal data of directors and other officers are required to be published at companies house. Further, where the TUPE Regulations apply, you will be required to give certain employee information (although the stage at which that needs to be given in a de-anonymised form is likely to post-date any due diligence).
Where there is no legal obligation to disclose personal data, you can rely on having a legitimate business interest in processing (by disclosing) the personal data, provided that that legitimate interest is proportionate to the effect that such disclosure is likely to have on the rights and freedoms of any affected data subjects. You should carry out a legitimate interests assessment to document the fact that you have considered the effect that disclosure will have on data subjects, and any measures that you can put in place to mitigate this (for example, entering into a data sharing agreement with the other party reviewing the due diligence).
Outside of legal obligations and legitimate interests, another lawful basis is where the data controller(s) have the consent of the data subject. In practice, however, it is unlikely to be practicable to obtain the consent of all people whose personal data you may need to disclose and, moreover, consent needs to be specific and informed, and you may want to avoid letting all of your employees know that you are considering a takeover at the stage of due diligence. The Information Commissioner's Office (the statutory regulator for personal data) tells us that consent is the last thing that you should be trying to rely on. What's more, consent can be withdrawn by the data subject at any time and, therefore, you could be left in the lurch regarding your lawful basis, halfway through the due diligence process.
Condition for Sharing 'Special Category' Personal Data
If the personal data in question constitutes special category data, then an additional condition, as listed in Article 9 GDPR, will be required, on top of the Article 6 lawful basis. This is unlikely to be pertinent to a merger or acquisition - aside potentially from disabilities of key employees (which can be disclosed anonymously in most circumstances anyway), how often do you need to disclose special categories of personal data?
There are several exemptions in Schedule 2 of the Data Protection Act 2018 which relieve an organisation of their obligations under data protection regulation.
In particular, paragraph 21 of part 4 to Schedule 2 provides an exemption to certain provisions of GDPR in circumstances of "corporate finance", which includes "advising undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and acquisitions" (i.e. due diligence).
Any personal data that is disclosed for the purposes of, or in connection with, due diligence, is exempt from some of the provisions of GDPR. More specifically, you do not need to tell you employees that you are disclosing their personal data to a potential buyer, for example by tipping them off by sending an updated privacy notice to include a sentence saying that you may share their personal data with X Company Limited, because X Company Limited wants to acquire the company.
This exemption does not mean that you can do what you please with personal data intended to be disclosed as part of a due diligence exercise - both data controllers will still need to comply with their other obligations under GDPR and the Data Protection Act 2018.
Means of Disclosure
GDPR requires data controllers to take appropriate technical and organisational measures to ensure the security and integrity of any personal data that they disclose. In practical terms, in circumstances where you are certain that you need to disclose unredacted or de-anonymised personal data to the other side, you should consider whether it is appropriate for this to be put in the standard post, or should you be transferring it via encrypted email or in a secure data room.
Data Sharing Agreements
In the event that there is an identified need to share personal data as part of due diligence, all parties should enter into a "Data Sharing Agreement", which should set out the lawful bases for the sharing, what personal data is to be shared, the purpose for which the data is to be used and what each party's responsibilities are under GDPR and to each other. Data Sharing Agreements ordinarily require a party that causes a data breach to indemnify the other party against any losses (e.g. ICO fines) cause by that breach.
A Data Sharing Agreement will complement any non-disclosure agreements (NDAs) in place as NDAs only cover confidential information, and not necessarily personal data.
The maximum fine for certain breaches of GDPR could be up to EUR 20 million or 4% of worldwide turnover - whichever is greater. Other breaches are capped at half that amount. Given the greater risks and increased fines arising from non-compliance with the GDPR, it is vital that all members of the disclosing due diligence team are assertive and vigilant when handling personal data, and that they only disclose personal data when it is absolutely necessary.
The team must adopt robust procedures to avoid non-compliance and take into consideration those factors discussed above. Taking short cuts are just not worth the substantial fines you could face for failure to comply with the GDPR requirements.
If you have any queries or require specific advice about the matters discussed in this insight, please do not hesitate to get in touch with me at Rebecca McCann, or Dan Crayford at email@example.com, who specialises in data protection matters.