Data is playing an increasingly prominent role in corporate transactions, particularly in global mergers and acquisitions. Many target companies are “data-rich” and the data that they generate, and hold, can have substantial value as a business asset. Purchasers are looking beyond just personal data and customer lists; they are examining, and interrogating, the wider gamut of data particularly where it can accelerate their own position in a chosen market.
From a seller’s perspective, the value of the data it holds is likely to influence the sale price and also the extent of the warranties a buyer will demand of it. Ostensibly, data may seem more “valuable” if the seller can show that it is protected – even indirectly – as an intangible asset. Such protection could be through intellectual property rights (such as database rights), the law of confidence or where the data forms part of a trade secret. Similarly, particularly where personal data is concerned, a seller will want to satisfy itself that the data has been managed in a manner compliant with relevant laws such as GDPR.
Where does the value reside? How can the value be extracted?
During an acquisition, in addition to identifying what data the target holds and its potential value, it will also be important from the purchaser’s perspective to ensure that the value in that data is “transferable”. However, the concept of value can take many forms. When assessing digital value (for example, in the form of a software platform), data may be among the most valuable assets that a company acquires because they can equip the combined entity to pursue strategic digital goals such as enhancing customer experiences. A company may also look to a “data rich” acquisition as a way to modernise its IT systems and eliminate technology debt.
Acquiring data from which a purchaser is unable to properly extract value, renders that data far less valuable to that purchaser. For this reason, the purchaser will want to ensure they have the means to extract that value which might include particular hardware and software and/or key personnel who have the necessary expertise to analyse, and interrogate, the data in meaningful ways. Similarly, a target company with a large cohort of data scientists/analysts may also be particularly attractive for a company lacking depth in these areas.
The means of corroborating the value in the data will be undertaking data-focused due diligence into the types of data a target company holds. Whilst data is an important asset for many companies, the manner in which they collect, process and store their data can vary enormously. Where those processes are found to be inadequate, this can have a detrimental impact on the proposed value which may have been attributed to that data prior to due diligence. Key questions that will come to mind in the first instance include:
- What type of data is being held – is it personal or sensitive data?
- What did the target collect the data for and is it being used for that purpose or otherwise in accordance with the terms set out when initially collected?
- How does the company store and process its data?
Ensuring that there are no concerns with the answers to these questions, in respect of a target’s data, will be key to ensuring the value attributed to that data is credible. For certain types of data, such as customer data, the policies a company has in place will also determine that such data (and the inherent value in it) is transferable to a potential purchaser.
The value in a target’s data may also be measured by how safe and protected it is from bad actors and cybersecurity threats. In that context, it is important for a purchaser to understand a target’s history of cyberattacks (if any) as well as evaluating the strength of the target company’s cybersecurity defences to determine the risk of there being an attack in the future. If data falls into the wrong hands it can become a toxic asset. Understanding how a target has dealt with any data breaches, and the relevant data protection authorities, historically can be insightful; for example is there a history of data breaches or investigations?
Obligations beyond the acquisition
Moreover, there is increased recognition of the importance of robust day-to-day compliance through policies and procedures. This has become more evident in recent years with the rise of the number of data breaches being reported. In 2018, the Information Commissioner’s Office (ICO) fined the hotel group, Marriott, the sum of £18.4 million following its acquisition of Starwood, for what was, in fact, a Starwood breach that happened prior to the acquisition. During its representations, Marriott argued that it was only able to carry out a narrow scope of due diligence on Starwood’s data processing systems and databases. That clearly did not provide an adequate defence and, notably, the ICO was of the opinion that even if fuller due diligence had been undertaken during the acquisition process, that would not have removed Marriott’s continuing obligation to ensure that it complied with the GDPR. So this tells us there is a clear need not only for thorough due diligence, but for robust procedures and policies to be in place post-acquisition to ensure ongoing compliance.
Companies that have robust policies and procedures in place in respect of the data they hold will be better equipped to exploit the value in that data. From a potential purchaser’s perspective, whilst due diligence may corroborate value, it may also identify other potential sources of data value in a target and provide the basis for effective integration of target data into a business. Defensively, it is an opportunity for a purchaser to ensure that it has properly evaluated, and mitigated, potential legal and commercial risks that may come with such data. It will also enable purchasers to understand what actions may need to be taken pre-acquisition as a condition of the deal or, more commonly, post-acquisition as part of a housekeeping exercise to improve compliance and security.
The digital revolution has seen the value of data grow exponentially. Corporate transactions can provide companies with sought after digital capabilities and the ability to extract significant commercial value from diverse sources of data. Whilst data can be incredibly valuable as a business asset, it is crucial to ensure value is not diminished by failings in how it is handled and protected. As we can see from the Marriott case, a valuable data asset, when mismanaged, has the potential to bring financial harm and reputational risk.