We recently hosted a webinar as part of PL&B’s 33rd Annual International Conference on data privacy and M&A. During the session, we talked the audience through the key privacy compliance issues that we have come across.
One of the first points we discussed - and arguably the most important takeaway of all - is to consider data privacy at the outset of any deal and involve the internal and/or external data protection team(s) as soon as possible. This will mean that any privacy concerns can be raised and addressed at the early stages of the transaction (avoiding major headaches during crunch time, including frantic last minute drafting) and ensures the parties stay safely within their “privacy by design” obligations.
Another question to consider early on will be whether data privacy, and the rules on direct marketing, will or should affect the deal structure. This can arise if the marketing lists are an important asset so the ability to continue e-marketing post completion is important.
It will also be important to ensure that the data processing that will occur at the different stages of the transaction is itself compliant. At the outset of the due diligence process, the seller should consider which lawful bases will be relied on for the relevant processing, how to comply with transparency obligations, preparation of legitimate interest assessments and, where relevant, data transfer impact assessments.
During the session, we also considered what to look out for when drafting some of the most important transaction documents, including the non-disclosure agreement, share purchase agreement, and any transitional services agreement. For example, should the buyer have a right to walk away from the deal in case there is a significant data breach between signing and completion?
We then discussed the (many) concerns around data integration planning and what to do when it is difficult, or very costly/time-consuming, to separate personal data that should remain with the seller from the data that should transfer to the purchaser. We concluded our session with a reminder of the importance of involving internal and external data privacy advisers at the outset of any transaction – for the vast majority of transactions data privacy issues will not (and should not) operate as blockers if those advisers are involved in the process in a timely manner.
Arguably the most important takeaway of all is to consider data privacy at the outset of any deal and involve the internal and/or external data protection team(s) as soon as possible.