UK businesses will be well aware of the General Data Protection Regulation (EU) 2016/679 (GDPR) which came into effect on 25 May 2018.

If your business is located in or holds, uses or processes personal data about individuals located in the UK or EU, then the GDPR applies to you and you need to comply with its standards. The sanctions for failing to comply can be severe, including a fine of up to €20m or 4% of annual group turnover (whichever is greater).

Our Data Protection & Privacy Team has been busy advising on the specific steps that need to be taken by affected businesses (including compliance, ongoing monitoring and internal policy and procedure review). For further information about the GDPR, please visit our hot topic page.

In this insight, we look at the GDPR from a slightly different perspective. What does it mean for those in the M&A world involved with due diligence – sellers, prospective buyers, bidders, investors and their professional advisers? Will it change the way in which we share large volumes of data?

Clearly, there will be a shift in due diligence focus to data protection compliance, particularly for target entities whose core activities require large scale, regular and systematic monitoring of individuals, or those required to process particularly sensitive information about individuals such as health conditions, criminal convictions and offences.

Additionally, buyers and investors are expected to require greater contractual protection (in the form of warranty and indemnity coverage) as the potential sanctions for non-compliance with the GDPR are so high and media coverage means individuals are very aware of their rights, for example, to submit data access requests.

As regards the due diligence process itself and the sharing of personal data, the practical position should not be markedly different from that in place before the GDPR – there was a duty to protect personal data before the GDPR as well as after. We outline below the key factors to consider (from a data protection perspective) before adding information to a data room or other due diligence portal.

What constitutes "personal data"?

It is defined as "any information relating to an identified or identifiable natural person" (a "data subject"). It can include names, dates of birth, postal and email addresses (including a work email address), national insurance numbers, telephone numbers, health information, bank details, opinions and factors specific to the economic, cultural or social identity of that person – essentially anything which can be used to identify a living individual who is the subject of the data.

Consider if the disclosing party (i.e. the target business) holds, uses or processes personal data

In reality, it is hard to see how a target business would not be doing this – for example, is it holding personal data about employees, workers, consultants, customers, clients or members of the public? Personal data will include payroll details, employment contracts, pension and retirement benefits information, entries in accident books, insurance claims, customer lists, B2C contracts and company registers.

Is there a lawful basis on which the target business can rely to disclose this personal data to a potential acquirer of, or investor in the business?

The fifth principle of the GDPR states that personal data must be processed lawfully, fairly and in a manner that is transparent in relation to individuals. This means that, in a due diligence situation, the target business will need to show that it is disclosing the personal data under one of six lawful bases for processing. Note, if you can reasonably achieve the same purpose without the processing, there will not be a lawful basis. The bases of most relevance here are:

  1. Consent – The individuals involved must have explicitly consented to their personal data being used in an M&A transaction.It is unlikely that such consent will have been provided in existing employment or commercial contracts etc.The target business could seek specific consent at the time of the M&A transaction but this is unlikely to be palatable to the M&A parties involved due to commercial sensitivity.If an acquirer or investor insists on personal data being disclosed in relation to, say, key personnel or customers, the target business should ensure the consents are clear and specific, in writing, signed and dated.It would also be wise to include confidentiality provisions in such consents if the relevant individuals are not already bound by a non-disclosure agreement relating to the transaction.
  2. Legitimate interests of the data controller (i.e. the target business) or a third party taking into account the fundamental rights and freedoms of the individual - A seller is unlikely to be able to argue this on a wholesale basis for each and every employee and customer etc.However, it may be possible on a limited basis, for example to enable a prospective buyer/investor to assess the management team.

Should the target business anonymise personal data?

Assuming that there will be very limited circumstances in which processing personal data will be lawful for the purposes of providing due diligence information, a target business/seller and its advisers should aim instead to avoid processing or sharing this information at all. To achieve this the disclosing party and its due diligence team should review all documentation before it is uploaded to the data room (or otherwise made available to the buyer/investor) to ensure any personal data contained within it is anonymised. This is likely to interfere with a buyer/investor's ability to analyse the data (for example, the age demographic of the workforce) and the parties will need to discuss how best to assist with the analysis. It may be that, in certain areas, the disclosing party will have to conduct the analysis on the other side's behalf (for example, confirming the number of employees in certain age bands). Ways in which you can anonymise information include:

  1. Redaction of names, addresses, signatures (where the name is visible), dates of birth and national insurance numbers.Various software tools exist which enable this to be done quickly and easily.Ensure both redacted and un-redacted copies of each document are retained in case you need to identify specific individuals in the future, for example if supplementary enquiries are raised;
  2. Use of staff/customer numbers or codes in place of names provided that the identifier key is kept separately and not also disclosed;
  3. Provision of template employment contracts for non-key employees where the terms of employment are identical save for aspects such as remuneration and benefits (these can be tabled in an anonymised employee schedule); and
  4. Redaction of all sensitive information which is subject to a special category of data under the GDPR and requires explicit consent to processing – this includes race, ethnic origin, religious or philosophical beliefs, trade union membership, sexual orientation and information relating to sex life, health information, political views, biometrics and genetics.

We are often asked whether the names of individuals at companies which the target organisation has conducted business with need to be redacted. For example, the name of a relationship manager on a facility letter or an individual named on a supplier purchase order form. To avoid any issues with this, a blanket approach to redactions / anonymisation could be adopted. Alternatively, a case by case analysis could be undertaken – the outcome of each analysis would depend on whether this personal information is readily publicly available (if a lot of searching is required to find it, then the answer to this would probably be no), the position of the employee and how unique their name is and likely to identify them.

In summary

Given the greater risks and new higher fines arising from non-compliance with data laws, consider very robust warranties in the transaction documents. For due diligence, all members of the team disclosing due diligence information should be vigilant and alive to the anonymisation procedures in place and the disclosing party should ensure it uses a secure and reputable data room platform. The platform provider's contract with the disclosing party should include commitments relating to the protection of personal data in accordance with Article 28 of the GDPR and, in particular, cooperation if a data subject request is received. Where advisers host data rooms on behalf of their clients, it is strongly recommended that:

  • the agreements with the platform providers are revisited in light of the GDPR; and
  • data room rules agreed to by parties accessing the data room are revised, particularly to ensure those parties read and actively accept the terms outlined. Additionally, privacy notices need to be updated and drawn to the attention of the data room users. Don’t forget the very act of setting up a data room and inviting individuals to log in and enter their personal details will also involve processing personal data so the correct information needs to be provided from the outset.