The EU General Data Protection Regulation (GDPR) enters into effect as of 25 May 2018, and due to its broad scope, it will also apply to many Swiss companies. If the target company does business with the EU, it is very likely that it has to comply with GDPR. The time to prepare for it started a long time ago and if you begin just now, you are probably already (too) late. Certain articles in the press suggest that you are in good company; a PWC Pulse Survey indicated that although the burdens placed by GDPR are overwhelming, as of December 2016, 23% of the responding US businesses had not even started preparing for it. GDPR compliance efforts are onerous and costly; according to the same PWC Survey, 77% of the respondents plan to spend USD 1 million or more on GDPR. Last but not least, GDPR has teeth, as it will allow for regulatory fines up to an amount of the higher of 4% of yearly global turnover or EUR 20 million, far exceeding the currently possible maximum fines.
In the M&A context, a target company's exposure to GDPR and the cost and status of its GDPR compliance project are relevant mainly for the following reasons: First, they matter in terms of current and foreseeable future (non-)compliance. Is there a GDPR compliance project? If not, has there been a thorough and reliable legal assessment that GDPR is not relevant for the target company? Does this fit with the target's business model as communicated by the seller? If there is a project, is the underlying analysis correct and its scope sufficient? Is it on track and implementation as advanced that compliance can be ensured by next May? If not, what are the likely consequences? Secondly, these issues matter for the valuation of the target business. What was budgeted for the GDPR compliance project, what has already been spent, and how does that compare to the project status? Is the current budget sufficient? How much are the recurrent cost for ongoing compliance and have they been built into the valuation model?
Key take-aways for buyers: If the Swiss target company does business with the EU, it is very likely that it has to comply with GDPR. Consequently, a buyer should make its own assessment in terms of the necessity as well as the possible one-time and recurring cost of GDPR compliance, and build those numbers into the valuation of the target company. Furthermore, a buyer should seek appropriate specific representations and warranties from the seller as to the appropriate design and current status of the GDPR compliance project. Last but not least, as under Swiss law representations and warranties can only cover the past and the present but not the future, a buyer will want to also seek an adequate guaranty/indemnity that the target company's current GDPR compliance project will ensure compliance once GDPR enters into force.