The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Just about every business will have been impacted by this legislation and will have reviewed their procedures for handling personal data. If a business is located in or holds, uses or processes personal data about individuals located in the UK or European Union, then GDPR applies. Sanctions for failing to comply can be severe.
If you are selling or buying a business then compliance with GDPR must be carefully considered. Part of the transaction process will normally entail a detailed financial and legal due diligence review of the target business. This always involves sharing of large volumes of financial and legal data about the business with the potential buyer and their advisers. Inevitably, personal data is involved. The definition of personal data is very wide and includes ‘any information relating to an identified or identifiable natural person’ (a ‘data subject’). It can include names, dates of birth, postal and email addresses (including a work email address), national insurance numbers, telephone numbers, health information, bank details etc. In fact anything that can be used to identify an individual who is the subject of the data.
There can be cases where there is a lawful basis to disclose personal data to a potential buyer. For example, if the buyer has legitimate interests. A buyer is unlikely to be able to maintain that it has a ‘legitimate interest’ for each and every employee and/or service user etc. However, it may be possible on a limited basis, for example to enable a prospective buyer/investor to assess the management team. In addition to a lawful basis to disclose, an additional ‘processing condition’ must be met to disclose some types of more sensitive data, such as health information and criminal conviction data. More information about lawful bases and processing conditions can be found on the Information Commissioner’s Office website: https://ico.org.uk
Should the target business anonymise personal data?
There will be limited circumstances in which processing personal data will be lawful for the purposes of providing due diligence information. For example, the buyer might well have a legitimate interest in knowing the age, medical condition and fees of individual service users but does not need to know their name for the purpose of their enquiries. Anonymised data, however, falls outside GDPR and can be provided.
To achieve this, the seller and its due diligence team should review all documentation before it is made available to the buyer/investor to ensure any personal data contained within it is anonymised. This could well be detrimental to a buyer/investor’s ability to analyse the data and the seller, buyer and their advisers will need to discuss how best to assist with the analysis. It may be that, for some information, the seller will have to carry out analysis on the buyer’s behalf.
Ways in which information can be anonymised include:
- Redaction of names, addresses, and other information from which the individual can be identified. Various software tools exist which enable this to be done quickly and easily.
- Use of numbers or codes in place of names provided;
- Redaction of all sensitive information which is subject to a special category of data under the GDPR and requires explicit consent to processing – this includes race, ethnic origin, religious or philosophical beliefs, trade union membership, sexual orientation and information relating to sex life, health information, political views, biometrics and genetics.
Other considerations
Legal advice should be taken to consider the personal data already held by the target entity to ensure it is GDPR compliant and whether it can be used by the new owner. The steps to notify individuals about who is going to be using their personal data and in what ways should be confirmed
Conclusion
If you are buying or selling a business GDPR cannot be ignored. Data protection principles apply to every stage of the transaction – whether the transaction is completed or not.
Advice should be taken from your legal and financial advisers to ensure you stay GDPR compliant, or risk heavy fines or other enforcement action by the ICO.