Protecting data during the sale of a law firm: O'Connors | business lawyers for corporate, commercial, insurance and regulatory advice

13.03.25 Strictly Boardroom

Protecting data during the sale of a law firm

With minds focussed on negotiating the deal and the due diligence bun fight, it is easy for sellers and buyers of law firms to forget that the heart of every law firm transaction is the management of data. As law firms are in a position of trust with their clients, much of the data will be classified as protected personal data that must be dealt with appropriately.

Let the seller beware

Contrary to the traditional ‘buyer beware’ mantra, the risk of mismanaging the firm’s data sits with the law firm being sold. It is this firm that will be classed as the data controller with responsibility for the observance of data protection laws.

Understanding how the firm’s data has been collected whilst in operation will be important in determining how the data for the proposed sale can be managed. Looking at the terms of your engagement letters, privacy policies, disaster recovery plans, service contracts (e.g. HR software and insurance documents) and internal policies will be the place to start in determining the permissions and rights available.

Let the buyer beware

Once the parties have signed the heads of terms, the due diligence process with get underway. A buyer needs to be braced for a deluge of information with certain private and confidential information (such as employee details) redacted for initial review.

At a point in time during the transaction it is likely that data controllership may pass to the buyer as it becomes a recipient controller, so understanding the data and how it has been collected and stored becomes of critical concern to the buyer. Whilst historical data might be straightforward to manage, the task of contacting and taking ownership over the ongoing case files and clients of the firm is more complex.

Regulatory duties

In addition to the standard data protection rules that apply to any business sale, the Solicitors Regulation Authority (SRA) codes of conduct for solicitors and firms impose the highest standards of client data protection and confidentiality on firms, with heavy penalties for breach.

The national data protection regulator, the Information Commissioner’s Office (ICO), can investigate and impose significant fines for mishandling of personal data, and has a recent record of penalising law firms for insufficient data protection measures. It does provide guidelines on how personal data should be processed during a business sale, which is a starting point for how legal sector transactions are handled. Helpfully, there is precedent that the legal basis for processing and transferring of personal data during a business sale may fall within the ‘legitimate interests’ purpose under the latest data protection laws. That said, the ICO suggests that the categories of personal data (and particularly those of sensitive personal data) are considered on a case-by-case basis.

Practical considerations

During a process that can involve hundreds, if not thousands of documents, there are practical steps that can be taken to safeguard the personal data in a law firm sale:

1. Non-disclosure agreements (NDAs)

The classic starting point will always be ensuring that a non-disclosure agreement is signed before are any details are shared between the parties with the following considerations:

Confidentiality: The standard non-disclosure agreement seeks to protect the confidentiality of all information shared as part of the interaction.
Compliance: Often there will be a ‘comply with all laws’ provision, which will catch general data protection laws.
Data protection provisions: Any additional or specific requirements around data protection could be spelled out at this early stage.

2. (Virtual) data rooms

The location and method of data sharing needs to be considered to ensure that the right data is being made available to the right people with the following controls in place:

Access: Limiting the number of people who can access the information in the data room ensures that data is seen only by those with express permissions, but it is also important to consider each document separately to decide if more restricted access is needed for certain documents.
Redaction: Client files will contain the personal data of the target firm’s clients and their counterparties, so redacting certain personal data will be essential.
Aggregation/anonymisation: Employment contracts of the staff at the target firm may be shared, and so aggregating and anonymising certain information (e.g. in a table format) will need to be considered.

3. Tech protections

Both parties need to consider the technical methods and practices in place to protect the data being accessed including:

Cybersecurity: There are technology measures that can be used to manage cybersecurity risks whilst sharing information with which IT support teams will be familiar.
Encryption: The use of passwords and encryption of files can be employed as an additional layer of protection.
AI tools: There is a rise in the number of instances where contract clauses are restricting or simply prohibiting the processing of data via AI tools, so an analysis of the intended tools should be considered.

4. Data protection practices

Seldom the first port of call when considering data transfers, but the parties could consider their own data protection policies and procedure and collaborate on the right methods for ensuring compliance including:

Data protection impact assessments (DPIAs): The ICO provides guidelines on data protection considerations for business transactions, as well as how to perform a DPIA, which can be used to record your considerations and actions to protect data.
Data protection officers (DPOs): Firms will have individuals in the position of COLP and COFA, but they should also have someone with responsibility for data protection. It could prove useful to get these individuals to liaise properly to ensure seamless decision-making.
Indemnity: A provision in the sale and purchase agreement could be indemnities for past and future data breaches.

During a sale, the parties always need to strike the right balance as to when, how, and to what extent the data is shared. The emphasis will be on the commerciality of the data and ensuring that the most relevant data is shared to give an accurate reflection on the value of the deal. The proficiency of the due diligence will come down to what data is available and there will be an inevitable push from the buyer to have as much access as possible to the seller’s data whilst remaining as efficient and as compliant as possible.

The balance therefore needs to be struck on finding the complaint middle ground between handing over the keys to the cabinets and redacting everything to the point of rendering the information useless. The buyer will also need to take a view on the seller’s actions (or inactions) as an indication as to whether the buyer may be inheriting potential claims for bad data protection or confidentiality practices.

What lies ahead

Substantial changes to UK data protection law in the form of the Data (Uses and Access) Bill are currently being debated in Parliament. Whilst the proposed amendments are promised to keep the UK in line with the EU GDPR adequacy decision, one of the key areas that the new legislation seeks to address is facilitating the easier transfer of personal data for businesses, especially under the ‘legitimate interests’ purpose.

Whilst business acquisitions are not currently an itemised example of this under the draft Bill, firms need to watch how the legislation will be finalised to ensure continued compliance with data protection laws before, during, and after a transaction.

For further information, please email Mark Hughes or Natasha Lackner or call 0151 906 1000.

News & Views