So, you’ve been waiting for years for this. You have built your company up, done all the right things and finally an offer comes in the door from a prospective purchaser. They are just the right fit – a multi-national organisation saying all the right things with an offer that might just see you sitting on that island in Bermuda after years of hard slog.
The data room is set up and the purchaser starts the due diligence phase. It’s ok – you’ve got all this covered. But wait...there’s a full page of due diligence questions on data protection!
How compliant do I need to be for a Meger and Acquisition?
When it comes to the GDPR, many companies are operating a “surface-level” compliance strategy. They might have updated their privacy statement (Marie explains just how important this is here), provided some basic training for employees and maybe put a Data Protection Policy in place. That’s it – JOB DONE, what was all the fuss about?
Many of Fort Privacy’s clients are preparing for M&A activity or are currently in the hot seat in the due diligence phase. And the due diligence process is asking in-depth questions. Not simply whether you have documentary evidence of compliance but checking if you can demonstrate compliance.
Here is a summary of the 12 most common M&A due diligence questions when it comes to data protection. How well can you answer these questions?
- Provide a copy of your Data Catalogue
- Describe – and defend – your Lawful Basis for all your processing activities
- Provide a copy of all privacy statements and notices to data subjects including employees and customers
- Provide a copy of all Data Protection Impact Assessments (DPIA’s) and Legitimate Interest Assessments undertaken
- Provide a copy of all your data protection policies including data protection policy, breach policy, data subject access request policy, data retention policy and CCTV policy
- Produce documentation demonstrating adherence to the policies listed above
- Provide a copy of your documented technical and organisational measures
- Demonstrate your Breach Management activities going back for at least 6 years
- Show evidence that you have undertaken supplier due diligence
- Produce copies of all relevant customer and supplier data processing agreements and the agreed technical and organisational measures.
- Describe the documented transfer mechanisms for all international transfers of personal data
- Demonstrate that staff have been trained and are legally bound to treat personal data confidentially
- Provide a copy of data protection audits undertaken in the past 6 years
- Provide any relevant certifications
Best-case and worst-case outcomes
It would be more than a little bit difficult to get past these questions with just a privacy statement and some training. Any prospective purchaser is going to want to know that you have your house in order.
At best, it’s going to affect the purchase price and/or the warranties being asked of the seller because (i) the purchaser has a big job to do after the acquisition and (ii) the acquisition will be viewed as a much riskier proposition.
At worst – the purchaser walks away. There’s always a possibility that a nervous purchaser with doubts over the acquisition might walk away if the due diligence responses are not up to scratch.
"Surface-level" compliance is not enough
There are lots of reasons why it’s a good idea to be more than compliant at a surface level with the GDPR. In the M&A playing field where there’s always another company competing for that golden opportunity, it’s vital to put some real work into your GDPR compliance programme – it will save you a lot of heartache in the long run. Contact Us if you need help with getting M&A ready. We can assess your current compliance levels and get you to well-positioned to answer the hard questions.