New GDPR Regulations in Europe: What Does This Mean for M&A?

On the 25th May 2018, a new data protection regulation (the General Data Protection Regulation or GDPR) replaces the Data Protection Directive with the aim of protecting the personal data and privacy of EU citizens. It must be adhered to by all companies conducting business in the EU, regardless of the location in which they operate.

So, in the context of M&A activity, how will this affect you? One of the changes places a heavier emphasis on the privacy of a company’s customers; therefore, companies will be scrutinised on how they collect, store, use and transfer personal data. The knock-on effect this then has is that during a transaction, an acquirer will carry out even more comprehensive checks on the target, examining internal data protection systems and processes and undertaking checks on contracts with suppliers and subcontractors, which must comply with the new regulation.

This is in an acquirer’s best interest, as they inherit any existing data protection liabilities from the seller post-sale and the penalties for a breach are steep, attracting a maximum fine of either €20m, or 4% of global turnover, depending on whichever figure is highest.

It also will have an effect on the communicating of personal data during the due diligence process between an acquirer and seller. Personal data can now only be disclosed if the acquirer can show a legitimate interest. While in the M&A process, an acquirer can prove that they do have a legitimate interest in the data this is unlikely to extend to every individual involved in the business, instead just encompassing members of the organisation such a managers. Care then has to still be taken to not personally identify any individual outside of this remit, so a seller must make sure they are cautious not to identify individual customers or employees and suitably anonymise this data.