Managing personal data when selling a business

A question that sellers often ask corporate lawyers when they are about to start selling their business is how to share information about the business as part of buyer’s due diligence process i.e. the process by which a buyer seeks to understand the business with a view to identifying risks and verifying the price offered for it.

The information shared may include personal data relating to customers, suppliers, employees, and business contacts, in addition to the usual disclosure of intellectual property rights, financial statements, commercial contracts, ongoing litigation etc. Sharing personal data puts business owners in the data protection regulatory spotlight.

This article should help you understand how best to manage personal data during the sales process.

The law governing data protection is based on seven key principles, set out in Article 5 of the UK General Data Protection Regulation (UK GDPR), which are:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security).
  • Accountability.

The UK Information Commissioner’s Office (ICO) specifically requires that the protection of personal data must be considered by both parties to a merger or acquisition as part of any due diligence process.

As the UK GDPR imposes significant penalties for breach of its provisions, continual compliance with data protection principles throughout the entirety of a corporate transaction (and the ability to present evidence to regulators of efforts to comply with the requirements) becomes increasingly important for businesses and their owners to reduce their risk of liability.

Here are some key questions to ask yourself when sharing personal data during a transaction:

1. How do you currently hold personal data within your business?

Before sharing personal data with your potential buyer, it is important to carry out an assessment of your existing privacy policy, privacy notices and disaster recovery plan i.e. what has been said previously to data subjects about the processing of their personal data and does the documentation need updating? For large scale personal data processing, it may be necessary to carry out a data protection impact assessment (DPIA).

2. Is there a lawful basis for sharing the personal data?

To comply with the first UK GDPR principle (lawfulness, fairness, and transparency), there must be a lawful ground for sharing personal data, and this needs to be documented. The six lawful grounds for sharing personal data are set out in Article 6 of the UK GDPR which requires that the sharing of personal data must be:

  • With the consent given by the data subject; or
  • Necessary for performance of a contract; or
  • Necessary to comply with a legal obligation; or
  • Necessary to protect vital interests; or
  • Necessary to perform a task in the public interest; or
  • Necessary for legitimate interests.

The UK GDPR sets a high standard for ‘consent’ as a lawful basis, as it can only be used in circumstances where a data subject has genuine control. This is rarely given, particularly in employment settings.

In the context of transactions, it is therefore likely that the most appropriate lawful ground for data sharing will be the ‘legitimate interests’ ground i.e. that the sharing of the data to a potential buyer is necessary for the sellers’ legitimate interest in selling the business. It is important to remember that this will not apply to certain special categories of data (such as data on race, ethnicity, health, trade union membership) because there are additional restrictions and conditions that must be satisfied to lawfully process this. For example, these additional restrictions and conditions would be relevant to the processing of patients’ medical records in the context of the sale of a medical practice.

3. Is there a confidentiality agreement in place?

Before entering into any meaningful discussions with a potential buyer, it is essential that a properly drafted confidentiality agreement (also known as a non-disclosure agreement or NDA) is put in place between the seller and the potential buyer. This should define what is meant by confidential information (to include personal data) and ensure that any person who accesses the data via the potential buyer (such as the buyer’s professional advisers) is also bound by the confidentiality obligations. It should also include obligations on the part of the potential buyer to destroy such data where the transaction does not go ahead and to use the confidential information only for a permitted purpose (e.g. for the purpose of evaluating the potential business acquisition).

Confidentiality agreements do not necessarily satisfy professional duties of confidentiality to clients and such professional regulatory obligations must be dealt with separately from the seller’s data protection obligations.

4. Is there a virtual data room (VDR) set up in which to store information?

VDRs are now the preferred method used by sellers to share information about a business with potential buyers in a controlled environment. A key benefit of using a VDR is that the sellers will have the ability to limit and monitor who has access to the information and how it is accessed.

Due to the nature of the information likely to be held in a VDR, an appropriate level of security over this information will be required to ensure compliance with the UK GDPR. To ensure compliance, the following steps should be carried out, as a minimum:

  • Ensuring that a reputable VDR service provider is chosen. For example, make enquiries about where their servers are located, how they are protected, whether personal data is processed outside of the UK or the EU, what other security measures are in place, whether they back up data (and how often and to where) and how they plan to respond to cyber events.
  • Requiring secure username and passwords to access the information within the VDR.
  • Restricting access to the VDR to a select number of people from each party to the transaction.
  • Restricting the ability to download and/or print documents.

5. Can the shared data be anonymised or redacted?

According to the UK GDPR principle of data minimisation, the sharing of personal data must be adequate, relevant, and limited to what is necessary for the purpose for which it is processed. For this reason, any data that is intended to be shared during the sale of a business must be relevant and deemed necessary to be disclosed for this purpose. If it is not, then it should be considered whether general information will suffice. In cases where disclosure of personal data is required, sellers should ensure that this data is anonymised or redacted where possible, for example when providing details of employees’ salaries. The risk of disclosing personal data in the VDR could also be reduced by using blank draft contracts (where appropriate to do so) as opposed to copies of signed contracts.

6. Can the sale and purchase agreement include an indemnity for future data breaches?

Including an indemnity on the part of a buyer for any data breaches that occur post completion of the sale can help to minimise risk should the buyer decide to migrate the personal data of the acquired business in the future.

To conclude, data protection is a complex area, and the consequences of non-compliance can be serious. So, always check with your professional advisers that they have the necessary depth of expertise in this area when assembling your professional support team for your transaction.

For further information, please contact Megan Crone or call 0151 906 1000.