The ICO’s intention to fine Marriott International, Inc. more than £99 million for a data breach stemming from its 2014 purchase of the Starwood Hotels Group has shone a spotlight on the GDPR exposure that can arise in an M&A context.
We explore some of the practical issues to consider during the process and risks to address during sale document negotiation.
How does GDPR bite on the data room?
On the seller side:
- Go through materials and redact as much as possible – assess with a critical eye what needs to be uploaded
- Consider whether uploaded content is up-to-date / accurate – two key expectations under GDPR
- Review the fair processing notices given to affected individuals – do these need to be supplemented?
- Check that the contract with your virtual data room provider includes the mandatory GDPR terms
- Consider whether the NDAs with bidders/buyers can be used to shield you from GDPR risk and mandate that specific access controls etc. are followed.
On the buyer side:
- Think about the protection under the NDA – can you negotiate in a warranty that all data room contents have been provided in accordance with GDPR and that the buyer team can use these for the purposes of the transaction?
- In the context of an asset sale, think about allocating the responsibility to notify individuals of change of ownership.
What GDPR issues should I look out for?
The following key points should be picked up in any due diligence of a target which handles personal data:
- Has the correct annual fee been paid to the ICO – or does an exemption apply?
- Have GDPR-compliant privacy notices been given to customer, employees (plus job applicants), suppliers and others?
- Do supplier contracts with processors such as external payroll providers or IT outsourcers contain mandatory GDPR terms?
- Has email marketing been conducted with consent or using the soft opt-in?
- Are internal policies / records in place to demonstrate compliance with GDPR?
- Has a data protection officer been appointed where needed?
- Are transfers of data outside the European Economic Area properly protected?
As the Marriott case shows, it is critically important to couple that kind of legal analysis with technical checks of the security deployed on the target’s systems and IT processes.
What’s the risk exposure?
GDPR risk is a board issue. Significant liability might arise in the following areas:
- ICO fines: the ICO has the power to fine up to the higher of four per cent of worldwide turnover and £17 million. Liability for fines received for pre-completion issues will (in a share sale) remain with the target and careful negotiation of indemnities will be needed to ensure risk is allocated appropriately (bearing in mind the public policy drivers at play, too).
- Reputational impact: in certain circumstances, reputational damage and loss of goodwill can be difficult to quantify, meaning it is difficult to recover losses sustained in these areas. Contracting parties of course typically look to exclude liability in this area. However, because of the major reputational impact that a publicised GDPR breach can have (particularly for regulated or consumer-facing organisations) it is important to consider exposure in this area and how this can be sensibly mitigated.
- Investigation costs: if an individual claims or a breach is notified and the ICO investigates the target, that investigation is going to be a significant drain on management time and of course potentially involve external fees being incurred (e.g. cyber security experts/lawyers).
- Claims by individuals: GDPR gives individuals (who may have suffered a financial loss but don’t necessarily need to – they can bring claims for distress) a flexible ability to bring a claim. That means that a target might need to respond to or even pay out damages in respect of claims which have been triggered by a third party’s breach, and then recover those amounts itself from the party at fault.
- Claims by suppliers/partners: due diligence would be required to assess the potential exposure to contract claims if the target was in breach of GDPR commitments.