GDPR due diligence in M&A
May 2018 | TALKINGPOINT | MERGERS & ACQUISITIONS
Financier Worldwide Magazine
May 2018 Issue
FW moderates a discussion on GDPR due diligence in M&A between Mark Steele at Deloitte LLP, Philip Whitchelo at Intralinks, Gail E. Crawford at Latham & Watkins LLP, and Siân John at Microsoft.
FW: How would you characterise the way companies in general have responded to the EU’s General Data Protection Regulation (GDPR) since it was originally announced?
Whitchelo: We saw quite a lot of denial in the early stages when organisations looked at the enormity of the task ahead of them. We see much more acceptance now with most organisations having a nominated and empowered owner and a plan. Remediation work in many organisations will continue well past the enforcement date and those responsible will be closely watching the interpretation of regulators during the first few investigations.
John: Initially there was a lot of lethargy. Only a minority of companies started preparing after it was originally announced. Among others there was some scepticism or even inertia regarding whether it would apply to them, even those that were informed of the legislation. For many, both before the regulation was signed and for the year to 18 months since, the focus has been on gaining information. Many organisations are still early on in their projects to address the requirements of the GDPR.
Steele: Based on our experience within a transaction context, most companies have started thinking about GDPR but few have deep confidence in how they should understand, measure and monitor GDPR compliance. The GDPR details a list of principles regarding the processing of personal data, yet many companies are still to determine how best to implement them in relation to their industry. It is essential for companies to define a clear scope for GDPR compliance. Most do not have a clear view on what data they actually hold and are leveraging expertise from cross-functional teams such as HR, legal, IT and compliance as a result.
Crawford: Responses have been varied, but on the whole it has taken both large and small companies a long time to gear up and get robust project governance and budgets in place to run such a large project. As such, many companies will struggle to have implemented all desired steps by the deadline. Even those companies that started in good time have been hampered by the lack of guidance and delays in seeing drafts of implementing legislation, resulting in a lack of clarity on how to change internal processes and procedures to ensure compliance.
FW: Could you provide an insight into how the GDPR will affect companies undertaking mergers & acquisitions (M&A), especially given its extraterritorial scope? What regulatory penalties might await acquirers that fail to incorporate GDPR considerations into their transaction processes?
John: Companies involved in M&A need to take account of whether the goods and services that either side supplies are available to residents of the European Economic Area (EEA) for purchase. Appropriate steps need to be taken to ensure that the personal data of residents held by companies on both their customers and employees in the EEA, and that the appropriate level of handling and protection of that data, is preserved as information is shared and as processes and technologies may change throughout the M&A process. There may also be concerns from customers of an acquired or merged company at the news of the M&A activity, so they may issue subject access requests or evoke their right to erasure at the time of an acquisition.
Steele: Through GDPR, companies are forced to review the way data is processed, establish procedures for protecting data, including the ability to report on data breaches, while also ensuring associated legal requirements are adhered to when protecting personal data. This has resulted in companies adapting their approach to M&A activity by tailoring their due diligence processes to include the principles set out by the GDPR. Companies that do not adopt a thorough approach to achieving compliance and implement effective procedures for dealing with cyber security breaches could hold a significant risk within a transaction, which could also lead to substantial fines being imposed.
Crawford: The most significant change in the new regime is the level of fines: a fine of the greater of 4 percent of global turnover or €20m, compared to a few hundred thousand euros under the old regime. Purchasers will want a much greater level of comfort around data protection compliance. Thus, we can expect more focus on diligence and perhaps an increase in indemnities to protect against data breaches and other issues that occurred prior to completion.
Whitchelo: The GDPR will drive a significant behavioural change in acquirers. The key areas for M&A transactions will naturally be due diligence processes, as well as post-merger integration. Acquirers will need to engage in a much more comprehensive due diligence process to fully assess a target’s ability to comply with the GDPR. Understanding how a target collects, stores, uses and transfers personal data, as well as the details of any historical data breaches, will be vital in understanding the valuation and risks associated with a transaction. The post-merger integration process will also need to address how existing consent from data subjects will affect the integration and future business goals of the combined entities, to allow for different uses of the data after deal completion.
FW: How important is it for acquirers to identify the level of a target company’s GDPR compliance? What steps should they take to achieve this?
Steele: Due to the substantial fines being imposed on companies that are non-complaint, assessing a target’s maturity as regards GDPR compliance is becoming an increasing area of focus. It is now commonplace for an acquirer to embed GDPR considerations within a technology due diligence scope, to help inform a view on a target’s roadmap to compliance and the identification of associated risks. For example, cyber security flaws not identified until after a transaction can have a material financial impact, either through additional investment required to remediate risks, or through fines being enforced by regulators through the GDPR due to the loss of customer, employee, supplier or other sensitive data.
Whitchelo: High profile data breaches, combined with pending data privacy regulations which put higher financial penalties on data breaches, such as the GDPR, will result in the scope of M&A due diligence being significantly widened to cover not just the usual legal, financial, commercial, environmental and HR aspects, but also to create a new ‘digital due diligence’ or ‘cyber security due diligence’. The adoption of the GDPR will play a crucial role in enforcing cyber security to a standardised level across the EU. Any global company that holds personal data of EU citizens will need to comply. In general, all companies handle personal information. If a target company does not have appropriate technical and organisational measures in place to protect personal information, it could be subject to large fines. Acquirers need to do appropriate cyber security due diligence on the target, otherwise they could be taking on a big additional risk.
Crawford: It is critical for buyers to conduct a gap analysis to assess the target’s GDPR readiness so that they understand what work will be needed post completion to bring the company into compliance. Not only will the purchaser need to assess the risk of non-compliance, but also the cost of any changes, in particular, systems-based changes required. The level of compliance that may be acceptable will vary, depending on the type of data processed. For example, for a company that does just business-to-business sales, a lower level of compliance may be acceptable, compared to a company processing sensitive health data. While part of the assessment is legal and can be undertaken by review of policies and notices, and typical Q&As with the seller, good security is critical to compliance with data protection laws. As such, any critical systems holding sensitive personal data, such as log-ins and passwords, credit card information, health data and so on, should be assessed from a technical IT security perspective.
John: It is essential to understand the level of a target company’s GDPR compliance as this can have a material impact on the cost of the acquisition. If the company being acquired is in a poor state, this could lead to significant exposure and a lot of expense and work to put the appropriate protections in place. As part of the acquisition process, they need to consider how much the business of the organisation they are acquiring relies on the use of personal data. They should ask the company about their personal data practice as part of their due diligence, including covering whatever data governance and security controls are in place.
FW: How should acquirers adapt their due diligence processes to assess potential risks arising from the new data privacy requirements?
Whitchelo: If you are the buyer, you will want assurances that the target has taken appropriate steps to protect confidential information from breaches and has considered upcoming data privacy regulations, such as the GDPR. You will also need to conduct cyber security risk assessments of the target. If you are a target, the question is how do you make this easier for the buyer? What should you provide at a basic level? What could you offer? Targets will need to consider cyber security as part of any vendor due diligence process.
John: Acquirers should ensure that the target company’s success does not rely on improper use of personal data from the EEA. They need to review the understanding of the company they are acquiring on their personal data protection obligations and what processes are in place to protect that. This should include relationships with any third-party vendors and suppliers they work with.
Steele: Historically, technology due diligence performed on a target typically covered assessing all the adopted technologies and strategies in protecting data. However, the emergence of new data protection regulations such as the GDPR has prompted technology due diligence processes to adapt by embedding GDPR considerations, which helps form an alignment between technology and legal aspects of data protection. Four steps should be considered in due diligence for GDPR. First, confirmation of the completeness and suitability of the approach an organisation went through to gain comfort on the GDPR. Second, confirmation that the data sets, risks and mitigations for GDPR risks have been assessed for the business going forward. Third, confirmation of changes to the treatment of the data sets, risks and mitigations for GDPR risks have been assessed as a result of the M&A activity. Finally, an analysis of the separation and carve out risks for GDPR should be carried out.
FW: To what extent will acquirers need to evaluate the IT networks and systems of their target companies to understand the nature of the data they hold? How should acquirers go about analysing data locations and preparing to centralise records as soon as possible?
John: The process will be similar to the impact that other regulations have had on acquisitions. There is a need to validate the statements made by the company being acquired to ensure that it is providing the protection required. This is probably going to be an evolving process, as with the technical due diligence provided for other regulations.
Crawford: Understanding the nature of the data to be processed is critical to tailoring any diligence. Depending on the level of risk, purchasers may rely on verbal or written responses to questions, whereas for other businesses where data processing is critical, acquirers may want a technical assessment undertaken. Whether that is possible will depend on the nature of the process, for example there will be less scope for technical reviews in a competitive bid process.
Steele: With the emergence of new data protection regulations such as the GDPR, it has become more important than ever before for acquirers to conduct a technology due diligence assessment to evaluate the risks in key technology domain, such as networks, infrastructure and applications, and how risks relate back to GDPR requirements. Acquirers should conduct a data inventory and mapping exercise when analysing data locations, in order to build out a relevant compliance programme for meeting GDPR obligations. Furthermore, this approach will allow companies to maintain detailed records of their data processing activities. Centralising records will help control and governance of data, but management teams need to firstly look at what is best for their business in terms of data management.
Whitchelo: Data protection readiness, risks and liabilities will become a much more important part of due diligence under the GDPR, given the potential for fines imposed on the practices of a newly acquired entity to be calculated on the annual revenue of the combined company. Auditing physical and electronic stores of personally identifiable data and then validating policies and procedures associated should be a higher priority than centralising data.
FW: Following the GDPR, will it be advisable for dealmakers to draw up a data processing agreement to establish the life cycle of data and ensure its erasure after a transaction is complete? What might this involve?
Crawford: Initially we will likely just see more data processing clauses in non-disclosure agreements (NDAs). We are of the view that potential acquirers are data controllers of the information they receive as part of the sales process, as they use that data for their own purposes. As such, they should, in line with an NDA, only use the data to evaluate the transaction, and in compliance with the law. If the data is exported, controller to controller, model clauses should be used. As is standard practice today, personal data in data rooms should be excluded or limited to the greatest extent possible.
Steele: Best practice dictates that in a deal both the buyer and seller revisit the GDPR agenda. Deals in relation to full separation and under transition service arrangements can significantly change the GDPR status of an organisation and its requirements. For example, the impact of data leakage or the transfer of data between two entities will need to be considered over the separation programme. As such, sellers and buyers may, going forward, require data to be erased post deal. This activity is increasingly going to require automated cleansing tools to help ensure structured and unstructured data is removed.
John: It is advisable to implement good data governance in any operation, including personal data, which includes managing across the life cycle.
FW: In your opinion, could the GDPR have a knock-on effect to sale and purchase agreements, affecting reps and warranties, for example?
Crawford: Data protection warranties will get longer and we will see more indemnities for disclosed issues.
Whitchelo: Non-compliance by a target, or evidence of heightened risks discovered during due diligence, may lead to additional GDPR-related conditions in any sale and purchase agreement. These could include the exclusion of certain GDPR-related liabilities from the deal, specific indemnities, covenants and additional conditions to closing. Over time, the insurance industry may be prepared to offer cover for GDPR-related liabilities, but premiums are likely to be very expensive until the industry has established data on loss rates.
FW: Looking ahead, how do you expect M&A processes to evolve in the wake of the GDPR? Do acquirers need to rethink their approach to transactions now, to avoid non-compliance down the line?
Steele: Since the announcement of the GDPR and as the deadline draws closer, it has become more apparent that companies have adapted their M&A approach by embedding GDPR considerations into their overall due diligence processes. This approach should be maintained in order to minimise any non-compliance down the line through acquisition. Preparations for the implementation of GDPR requirements should already be reviewed by companies or at least the related initiatives prioritised through a clear roadmap. We are already seeing, particularly in sectors which are heavily data dependant, that one of the factors people are considering is zero-day transition service agreements or sellers fully separating the entity and building a separate IT estate on cloud-based technologies prior to sale.
John: Privacy risk needs to be one of the core factors involved in the M&A process. That should really have always been a consideration, but as with many other processes, data governance and privacy has not always had the focus that it should, but it will definitely be important to manage that process.
Crawford: I think there will be more of an increased focus, given that the risk of non-compliance carries much greater fines, rather than a radical rethink. You will see data protection issue potentially going to value in some business, where non-compliance, in addition to a fine, could result in an order prohibiting or varying the use of the data. For example, if there is a deal to acquire a database, detailed diligence will need to be done to ensure it can be used for the desired purposes.
Whitchelo: To combat the threats to M&A processes from cyber security-related issues, acquirers will seek to engage external cyber security experts to provide them with peace of mind and reassurance, and to evaluate the target’s cyber security measures as part of the due diligence process. This raises a lot of new questions. How does one conduct cyber security due diligence? Are new specialist service providers emerging? What do advisers and corporate development teams need to be aware of as cyber security attracts more scrutiny? Does the business have the sufficient technical knowledge and experience to remain compliant? As a buyer, how do I gain assurances that my target has taken appropriate steps to protect its information? As a target, what should I offer as part of the due diligence process, and how do I make it as painless as possible for the buyer? It is also clear that the GDPR and cyber security go together. Both will lead to changes in the due diligence process as the protection of data used in the process will become a critical issue, with the potential to derail a deal if certain criteria are not met or specific safeguards are not put in place.
Mark Steele has over 18 years experience in delivering carve out and post-deal programmes for leading corporate organisations and private equity. Over the last decade he has led some of the largest technology deals. He has also led all aspects of the technology deal programme, including deal negotiation, TSA, cost modelling, solution design, planning and execution. He has also led mainstream business and technology transformation activities delivering right sized and process and MIS change programmes. He can be contacted on +44 (0)20 7303 5393 or by email: masteele@deloitte.co.uk.
Philip Whitchelo is responsible for strategic business and corporate development at Intralinks, a provider of software and services to the global M&A, private equity and banking communities. He is also a member of the Advisory Board of the M&A Research Centre at Cass Business School, City, University of London. Prior to joining Intralinks in 2010, he worked for 17 years in M&A investment banking, corporate finance and management consulting. He can be contacted on +44 (0)20 7549 5200 or by email: pwhitchelo@intralinks.com.
Gail Crawford is a partner in the London office and chair of the data privacy committee and co-chair of the technology transactions group and the internet and digital media industry group. Her practice focuses primarily on data protection, cyber security, technology, intellectual property and commercial law, and includes advising on compliance with global privacy laws and cyber security responses, as well as technology and intellectual property licensing agreements, joint ventures and technology procurement. She can be contacted on +44 (0)207 710 3001 or by email: gail.crawford@lw.com.
Siân John is chief security advisor for the UK and Nordics in the enterprise cyber security group at Microsoft. She works with parties to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Ms John is a certified information privacy technologist, as well as holding CISM and CISSP certifications. She was awarded an MBE in the Queens New Years Honours List for 2018. She can be contacted on +44 (0)118 909 4786 or by email: sian.john@microsoft.com.
© Financier Worldwide
THE PANELLISTS
Deloitte LLP
Intralinks
Latham & Watkins LLP
Microsoft Ltd