GDPR: Managing privacy is now key to mergers and acquisitions

This weekend marks a year since the introduction of the General Data Protection Regulation. Tim Bird examines how worrying gaps in data protection could be hampering the growth of many promising businesses.

With the notable exception of the €50 million (£44 million) fine levied on Google by the French data regulator for the tech giant's "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation", some of the frenzy around GDPR is starting to subside.

As the dust settles, and companies turn their attention back to other matters - such as growing their business through mergers and acquisitions (M&A), disposals, joint ventures, private and public fundraisings - it is becoming clear that many are still lacking adequate privacy policies.

In the past, privacy matters, if they were thought of at all, tended to be considered at a late stage in an M&A transaction and dealt with hastily and perfunctorily.

Now, in the post-GDPR age, robust privacy policies are becoming essential to kick-start corporate transactions.

Lawyers are urging clients to consider privacy as early as possible in the pre-transaction process, with the aim of attracting investment in the first place and minimising surprises later on, which threaten to send deals of all sizes off the rails prior to completion.

It is not unheard of for privacy problems to become apparent once a deal has been completed - a situation which can result in lengthy and expensive litigation.

Due diligence

Privacy expertise will usually be drafted into a corporate M&A transaction during the due diligence phase, which typically lasts two to three months or more, depending on the size and nature of the deal.

Due diligence gives the seller an opportunity to disclose the extent to which they are GDPR-compliant, including details of any known data breaches.

The buyer's lawyers have the chance to "red flag" any privacy concerns they come across in their due diligence work.

The M&A agreement can then be amended and warranties and indemnities drawn up to reflect the privacy disclosures, removing any data protection stumbling blocks further down the line.

Post-GDPR, lawyers are increasingly seeing issues in the post-merger integration (PMI) phase that have arisen as a result of privacy lawyers' due diligence - issues won't prevent the buyer from closing the deal, but which are significant and which the company and its advisers will want to put right post-acquisition.

In the run up to the implementation of GDPR, many companies took non-legal advice from advisers and consultants, which tended to focus on mapping data flows and other functional aspects of their data collection and storage, which they believed were sufficient to comply with GDPR.

However, in lots of these cases, the companies had failed to look in practical terms at what GDPR meant for their underlying contracts and their relationships with customers - and it turned out that, despite having forked out on costly privacy exercises, many were, in fact, not GDPR-compliant at all.

Early mover advantage

After a year of living with GDPR, it is important to stress that privacy is not just a box-ticking exercise for lawyers, or even simply something companies have to do to avoid fines.

Taking advice on privacy is increasingly a condition for companies to invest into other companies, so getting data protection input can be pivotal to a company receiving the funding they need to grow the to the next level.

As companies grow, they find they can negotiate with more authority and sign contracts according to their own terms and conditions, rather than those of their often larger, more powerful customers.

When negotiating with large customers, it's helpful for a company to be able to say it has thought about privacy in its policies and procedures, both on its internet portal and in its Ts and Cs.

Rubber-stamping a company's privacy policies will usually be a judgment-based assessment and will depend on the nature of the business.

If the business only holds HR and customer data, these records are common to any business and means lawyers can take a standard approach. Increasingly though, companies of all kinds hold large marketing databases as part of their sales and customer outreach functions.

A buyer of that company will want to know how the consents for those marketing contacts were gathered and whether or not they can legally continue to use that data.

Failing to spot an issue which ultimately leads to a cyber breach can also cause huge reputational damage to a business that ultimately destroys the value of an M&A transaction.

More carrot than stick

In a carrot-and-stick approach to GDPR, the stick has certainly been more vigorously brandished over the last 12 months but, the Google fine notwithstanding, penalties for GDPR non-compliance have been slow to materialise.

Perhaps more significantly for businesses, there is also a clear marketing benefit in having enhanced privacy policies and provisions.

Larger players in the M&A market now expect consideration of GDPR to be embedded in their targets, so those that do not may find themselves dropping off shortlists for acquisitive investors.

Companies therefore need to be willing to cooperate with their advisers and recognise that privacy is more than just a compliance issue, but a vital value indicator in M&A.

As GDPR is only a year old, market practice around privacy and data protection continues to develop, so approaches by businesses and their advisers need to be fluid.