On 25 May 2019, it will be a year since the General Data Protection Regulation (GDPR) came into effect. A year ago, inboxes were filled with requests to approve marketing consents and emails informing customers of updated privacy notices following its implementation. Meanwhile, organisations wrestled with the necessary steps to ready themselves for compliance with the new law – gap assessments, data mapping exercises, vendor agreement update programmes and policy procedure developments.
GDPR has been the biggest change in data privacy law that Europe has seen for more than 20 years. It represents a step change in the regulatory environment relating to the governance of how organisations can collect, store and process personal data. The new regulation sought to address the challenges presented by the prevalence of digital technology by strengthening the obligations on businesses about how they use personal data, including being required to demonstrate compliance and offering greater rights to individuals.
GDPR increased the powers of data protection supervisory authorities to take enforcement action when companies get things wrong. The fines that supervisory authorities can issue were increased to a maximum of 4% of global annual turnover or €20 million (whichever is higher). The impact is real. But, one year on, what has changed and how has it affected M&A processes?
Change of approach
The implementation of GDPR has undoubtedly pushed privacy compliance up the priorities list in the large majority of M&A transactions.
Reputational concerns, combined with the threat of significantly enhanced financial penalties for non-compliance, make privacy compliance, and GDPR compliance in particular, a C-suite issue. For acquisitions or transactions in particularly data heavy sectors, or where a particular asset or value of a target is related to personal data, there is significantly enhanced scrutiny of the compliance activities of the target as a result of GDPR.
There is particular focus on the cyber risks. Given the experiences of TalkTalk – which was fined in 2017 ahead of GDPR introduction for the data breach of 21,000 customers – and the reputational and professional fallout as a result of data security breaches (particularly if it is mishandled), there is now a much greater emphasis on IT diligence in relation to many transactions.
This concern is only further enhanced as the first wave of breach-related litigation claims start to land on organisations that have suffered a data breach since May 2018 – they have had to make mandatory public notifications as a result. There is some concern in the market that the scope within GDPR for compensation where "non-material" loss has been suffered could result in significant volumes of low value claims being received following any data security incident. This risk is yet to be realised in real terms, but we know companies are seeing the beginnings of nuisance claims. While cyber is perhaps at the more interesting end of the spectrum, of equal importance are the overall governance structures and frameworks that are designed to appropriately address the risks within businesses. In light of the expansion of GDPR-like privacy laws on a global basis, a key requirement fix for those organisations that wish to operate at scale is to have a framework in place that can manage multiple potentially competing privacy regimes within an organisation. Such new laws have been introduced in India and Brazil, and there is the proposed California Consumer Privacy Act.
While many transactions following GDPR have resulted in specific identified risks being addressed or accounted for in valuations, a recurring theme in many transactions is the identification that, for many organisations, GDPR compliance is a "journey". While no organisation will ever at any time be 100% GDPR compliant, the maturity of GDPR implementation projects ranges widely.
A vital requirement of any transaction in such a scenario is to fully understand and assess the steps and measures that have been implemented to date. It is also important to ensure that consideration is given to how the continuation and the completion of implementation will be budgeted for post acquisition, as well as managed from an operational perspective. This could involve incorporating the target into the acquirer's own governance framework or continuing work to finalise a standalone programme for the target. It is worth noting that data privacy laws also cover the sharing of staff information between the parties to a transaction.
Considering the future
First, a proper assessment of data processing activities must be carried out, in the context of both the specific entity and, more widely, the specific sector in which the business operates. This may drive a much different analysis of what would constitute a mature GDPR/data privacy compliance programme. In assessing the maturity of the target's privacy compliance, consider the following:
- Has it appointed a data protection officer?
- Is there a network of data privacy "champions" or liaison officers instilled and empowered throughout the organisation?
- Is there good evidence of a respectable degree of general awareness of privacy obligations and requirements across the organisation? Is there evidence that a good training programme has been deployed?
- Is there a comprehensive and up-to-date suite of data privacy and information security policies and procedures?
Understanding historic liabilities or engagements in relation to any supervisory authority is also critical. In many instances, individual one-off breaches or other examples of non-compliance can be a sign of systemic data compliance issues if a particular entity or organisation has a chequered history of correspondence and complaints with the relevant supervisory authority.
It is also important to consider the Brexit preparations that a British-based organisation may have undertaken in connection with data privacy. This should have focused on deficiencies in data transfer solutions that may arise following the UK's departure from the European Union. There also needs to be a re-assessment of the application of both UK and EU data privacy laws, as well as implementation of changes to relevant documentation.
One year on ...
GDPR is clearly here to stay. Organisations should get used to the changing regulatory environment and expect the level of scrutiny to grow as market practices continue to develop.
As the global spread of privacy laws continues, the ability to scale and flex compliance and control frameworks will become ever more important. However, it is also crucial that privacy compliance and GDPR implementation are not perceived by businesses solely as additional costs and risks in respect of any potential valuation. Given the ever-increasing value that individual customers place on their privacy, getting this right and being able to evidence it will become a very attractive competitive advantage in value enhancement.
This article was originally published in Corporate Financier's May 2019 issue here.