Banks and businesses were all rushing to comply with the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. While data protection regulation is not a new concept in the EU, the GDPR significantly expands the rules on using personal data and increases the risks of processing personal data compared to existing legislation. Even deal parties with little or no footprint in the EU may be affected. Failing to comply with the new rules can have serious reputational and financial consequences for a business, including fines for data breaches of up to the maximum of either Euro 20 million or 4% of global turnover.
This note looks at the impact that the GDPR could have on capital markets transactions, but most especially how it may affect: (1) the due diligence exercise, (2) the extent of warranty (and perhaps indemnity) cover provided in the underwriting agreement, and (3) the risk factors included in the prospectus.
Who does the GDPR impact?
A business that determines the purposes and means of the processing of personal data is called a ‘data controller’, whilst a business processing personal data on behalf of a data controller, is called a ‘data processor’. Both data controllers and data processors are subject to a range of obligations under GDPR. A data processor may also act as a data controller in respect of certain activities where it determines the purposes and the means of processing, for example, when managing client accounts or where it has regulatory obligations which require it to carry out its own anti-money laundering checks.
One of the key changes brought in by the GDPR is the expansion of its territorial scope. As such, from 25 May, even entities with no EU presence may trigger GDPR compliance obligations if they, for example (i) offer goods or services to individuals in the EU, or (ii) monitor the behaviour of individuals within the EU.
As far as capital markets transactions are concerned, the GDPR will impact some issuers more than others. Specifically, since genetic and biometric data is now included within the definition of ‘sensitive information’ under the GDPR, issuers operating in the health and ‘wellness’ sectors (given the increasing use of big data analytics and new technologies therein) will be particularly focussed on ensuring their conduct complies with the new rules as well as the relevant national law. Other issuers that will be impacted significantly by the GDPR are those that deal with large amounts of personal information, such as those that operate in the consumer-facing or financial sectors. It is when dealing with such issuers that GDPR is most likely to impact capital markets transactions as described below.
The Due Diligence Process
The GDPR is likely to impact both on the way in which the issuers arrange for personal data to be made available, and the way in which the underwriter(s), legal teams etc. use that personal data to perform their due diligence checks. On both sides, we can expect to see increased security and control around access to certain documents or information, restricted functionality and the ability to audit the steps taken towards GDPR and other data protection compliance.
For example, to provide greater protection of the personal data they control, issuers may more frequently employ aggregation, encryption and redaction techniques before placing items in the data room. Physical (or virtual) access to the data room may also be more restricted, with only core deal team members having unlimited access, to reduce the risk of data breaches.
To safeguard further against the risk of a data breach, we can expect the standard non-disclosure agreement entered into by those performing the due diligence exercise to be strengthened to include a GDPR obligation, and for any third party entity hosting a virtual data room on behalf of the issuer to be subject to a data processing agreement that will likewise include terms on data security.
The Due Diligence Exercise
Through the due diligence exercise, the underwriter(s) and the legal teams will each need to gain an understanding of the nature of the issuer’s business and, for the purposes of checking compliance with the requirements of the GDPR, pay particular attention to the:
- Type of personal data being controlled and/or processed by the issuer;
- Legal basis for processing such data; and
- Usage and storage of the data.
A crucial task will be verifying the existence and content of policies concerning data protection and privacy, as well as focussing on the role of any Data Protection Officer (to the extent that the business needs to appoint one) and security and data protection policies.
It will also be vital to identify and evidence any past breaches in the issuer’s compliance function, not only due to the potential liability entailed, but also because such breaches, if left unremedied, may highlight weaknesses that could impact on the issuer’s future ability to comply with its obligations under the GDPR.
It is already commonplace to see risk factors on the impact of the GDPR included in prospectuses. As with all risk factors, it will be important to understand the exact applicability of, and material risks posed by, the GDPR to the issuer’s business, so that such detail can be captured succinctly in this section of the prospectus.
In addition, the facts set out in the risk factors should be corroborated elsewhere in the prospectus, for example by detailing in the litigation section any material data protection-related claims expected or commenced against the issuer that were alluded to in the risk factor. Regulators are unlikely to let either generic or specific wording that is not so corroborated go unchallenged.
Warranty (and Indemnity) Cover
Within the suite of representations and warranties provided by the issuer to the underwriters in the underwriting or subscription agreements, the application of the GDPR will see additional warranty cover added in respect of the:
- Collection and use of personal data and the rights of data subjects;
- Existence and application of appropriate policies and protocols together with the appropriate IT tools and systems to ensure protection of the data;
- Data restrictions; and
- Data breaches.
In the event that the due diligence exercise exposes any non-compliance by the issuer with the GDPR provisions, underwriters might also justifiably demand the addition of indemnity protection and/or an additional closing condition pertaining to the remediation of such non-compliance prior to completion.