As a small business, you likely collect personal data on your customers. In fact, this personal data is one of your most important assets – without it, you wouldn’t be able to deliver value to your clients. Just like any asset, the personal data a business has collected is an integral part of mergers and acquisitions. For this reason, you may want the support of an outsourced data protection officer.
If you are looking to sell your business, have you considered the implications for your personal data? To understand the role personal data will play, ask yourself these four important questions:
- Do you have the right to transfer personal data?
- Can the buyer lawfully use the data after the sale?
- What are the potential data liabilities?
- Is data protection part of the transaction process?
Let’s go through each of these questions in more detail, looking at the underlying data protection considerations behind each one.
Do You Have the Right to Transfer Personal Data?
Before the General Data Protection Regulation (GDPR) was enacted, the thinking of most companies was that any data they collected belonged to them. The business could use this data to gain a profit, whether it was customer, employer, supplier, or stakeholder data. The GDPR has reversed this idea, however, asserting that personal data your business collects belongs to the data subjects, not you.
As a result, you cannot indiscriminately transfer personal data. To know whether you can lawfully transfer data to a buyer, consider the following factors:
- If you’ve gotten data subjects’ consent (including explicit consent and parental consent for children), whether this consent can be lawfully transferred to the buyer
- If your business processes data on behalf of a third party, whether data sharing agreements allow you to change ownership
Can the Buyer Lawfully Use the Data After the Sale?
Before the buyer can use the data transferred from the seller, both parties need to know if there are restrictions on its use. Will the buyer use the data for the same purpose as the previous owner? If not, the buyer should make sure they can still lawfully process the data.
In many cases, consent from data subjects works as the lawful basis for processing data. The buyer of the business must ensure that consent, as well as the data itself, is transferable. If it’s not, the new owner of the data will have to renew consent from the data subjects.
It’s also possible that the buyer will move the data outside of the EU. If so, that data needs to be in a country considered adequate by the European Commission. Finally, the new business owner should review who the data will be shared with and put any new sharing agreements in place if applicable.
What Are the Potential Data Liabilities?
Collecting personal data as a small company always comes with liabilities. For the new business owner to take on those liabilities, they must understand what the level of compliance with data protection regulations was up until the transfer.
Buyers should, therefore, complete a full audit of your company’s data protection framework before the transaction is complete. An audit can include items such as:
- How the personal data has been mapped and catalogued
- If the Records of Processing Activities are up to date
- If Legitimate Interest Assessments (LIAs) are done if the company has used legitimate interest as a lawful basis
- If the data was obtained fairly and lawfully
- Review of consent records
- Who the data has been shared with
- Breaches, if any
- Outstanding requests to individuals’ rights requests
Both the seller and the buyer should assist with the audit, so it can be as efficient as possible. In a purchase sale, you have a responsibility as the seller to provide warranties and indemnities regarding data protection compliance. If the liabilities remain with you, as in a trade and asset sale, a thorough audit will help you better understand your own state of compliance.
Going through the data protection landscape of the company before the transaction is complete benefits both the seller and the buyer. Each party has a clear understanding of the extent of compliance, and how to move forward.
Is Data Protection Part of the Transaction Process?
It’s important that the data itself is handled securely during the transaction. What protections are in place for data that is shared and audited by the buyer and their advisors? Through each stage of the process – initial enquiry, populating the data room, due diligence, exchange, completion, and post completion – it’s possible that more and more personal data is shared.
Both sides involved in a sale, acquisition, or merger should keep these considerations in mind to protect personal data throughout the transaction:
- Non-disclosure agreements should have robust data protection clauses
- The buyer, seller, and their agents should put data sharing agreements in place
- The room where the data is hosted should be secure and only accessible to authorised individuals – especially if it’s outside the EU
- Both parties should update privacy policies to allow for data sharing during the transaction process
- Both parties should write data protection provisions into the purchase and sale agreement
- The Record of Processing Activity should be updated throughout the transaction
- Data from the data room should be restricted for download or removal
- Personal data should only be retained for duration of the transaction process
Making Data Protection Part of Selling Your Business
For companies that rely on personal data, the merger and acquisition process must be handled carefully. Ecommerce, AdTech, FinTech, Internet of Things (IoT), AI, and Life Science sectors all place significant value on personal data and how they process it. The purchase of small businesses is common, but compliance with data protection is not. Even small companies may have high volumes of data that are technically complex to process, making it less of a priority during an acquisition process.
There are penalties for not complying with data protection rules, as well as liabilities for both the seller and the buyer. Penalties shouldn’t be the only motivation to protect personal data adequately when you sell your business, however. There’s also immense value for you and the buyer for doing data protection properly, namely, preventing future problems with data processing.
If you want to sell your small business with minimal risks, start considering the implications of your personal data compliance now, and put together a structured approach to processing data through the acquisition process.