Data Protection: 4 Important Questions to Ask Before a Merger or Acquisition

When considering a merger or acquisition, the data protection and privacy aspect of the transaction plays an important role. In fact, buyers, investors, and financial advisors involved in M&A transactions are so frequently confronted with data security and cybersecurity issues, that more than one-third (around 40 percent) of acquiring companies claim to have faced them during the integration phase, after the takeover, according to a report by Forbes – and this number is rising at an alarming rate. This is why it’s now more crucial than ever to understand and realise the value of data protection services in M&A transactions. In this article, we share with aspiring business owners some key data protection considerations to keep in mind for the due diligence process and beyond.

Data Protection: 4 Important Questions to Ask Before a Merger or Acquisition


Experienced in assisting clients who are involved in mergers or acquisitions, data protection officers claim that you need to pay close attention to these four basic questions, keeping data security and privacy in mind:

  • Will it be possible for the purchaser to lawfully use the business data after the sale?
  • Does the seller also have the right to transfer business data, along with the business?
  • Have the potential liabilities regarding data protection been duly taken into account?
  • Are all the data protection and privacy considerations been clearly outlined in the transaction process?

Now, let’s take a closer look at the reasoning behind these data protection considerations.

Data processing by the new owner after a business acquisition

If we assume that the seller has full rights to transfer the business data to the new owner in its entirety, then it’s important for the buyer to confirm whether or not they have gained full rights to use the data as they may please, and also to determine if there are any restrictions regarding its usage. If you are acquiring a business, consider the following points before using any of their data:

  • Purpose: Would you be using the data for the exact same purpose as it was previously being used, before the acquisition? In case there’s a different purpose for using the data, you will need to ensure that you have a lawful and appropriate reason behind it.
  • Consent: If you are planning to use consent as a lawful basis for using the data, then you need to ensure that the consent is actually transferable. In case it’s not, you may have to renew the consent with the help of data subjects, before you can continue processing. It’s essential to have a clear and concise record of how the consent was originally given, and precisely on what basis. Also, keep in mind that you should be able to contact the data subjects after the transfer, in order to renew the consent, and this is something that needs to be discussed with the current owner, well in advance and manage it with platforms such the CMP tool
  • Data storage: Where do you plan to store and process the data, after the acquisition? If you intend to store it outside the EU, then you should do it in a country that’s considered adequate as per guidelines issued by the European Commission. If that’s not doable either, you will need to employ some appropriate transfer mechanism in its place, such as the Standard Contractual Clauses and Privacy Shield, among others.
  • Data sharing: It’s important to prepare an appropriate set of data sharing agreements before the transfer. If you plan to rely on the original data sharing agreements created by the previous business owner, then you will need to ensure that these agreements can be re-assigned legally, if necessary.

The right to transfer business data

Before the GDPR came into force, most businesses operated on an assumption that they could freely profit from any and all business data they held, regardless of its source. However, this perception has changed significantly over the years, now that there’s a better understanding of GDPR and why data needs to be transferred rightfully.

In case you were wondering under what circumstances are sellers not permitted to transfer business data onto the new owner, here are a couple of important points to consider:

  • Do the privacy policies and data sharing agreements (if any) allow for the transfer of the business ownership or control?
  • Have the data subjects provided their full consent explicitly, including parental consent for children? If yes, then will it be possible to transfer this consent lawfully to the new business owner?

Keep in mind that in a trade and assets sale, particularly, the privacy policy of the new owner may no longer be applicable. It’s also important to note that consent may not actually be transferable after acquisition, unless it was stated when consent was originally given and is also reflected clearly in the privacy policy that was applicable at the time when the consent was shared.

Considering potential liabilities after the acquisition

If the new owner decides to take on the seller’s liabilities, they will need to have a clear idea of exactly what they are. Apart from this, it’s also important to discuss with the seller about the level of data protection compliance they are willing to adhere to. For example, the seller should understand their potential liabilities in a trade and asset sale, where the liabilities can potentially remain with the seller. In case it’s a share sale, the purchaser would want the seller to provide them with any warranties and indemnities that may be required for data protection compliance. In the end, evaluating the value of potential liabilities is more of a subjective and commercial question.

In order to safeguard your best interests, however, it’s advisable to perform a thorough audit, keeping data security and privacy in mind. The audit should include a comprehensive range of assessments, including but not limited to:

  • Has there been comprehensive and accurate mapping and cataloguing of every single piece of data?
  • Are up-to-date and complete Records of Processing Activities (RoPA) available?
  • Has Data Protection Impact Assessment (DPIA) been completed thoroughly for all the high-risk datasets?
  • Are transparent privacy policies, consent notices and comprehensive consent records available, in order to prove that the data has been obtained lawfully?
  • Are the Legitimate Interest Assessments (LIA) duly completed, if Legitimate Interest has been used as the lawful basis for processing data?
  • Which parties, individuals, and processors had access to the data previously and had they handled it properly?
  • Does the business have any history of security breaches? If yes, then what was the impact and how much data was compromised?
  • Are there any rights requests by individuals, Data Subject Access Requests (DSARs), investigations, or potential claims related to data protection that are currently outstanding?

Considerations for the transaction process

It’s crucial to ensure that all the necessary rights and permissions are available and that data sharing is being monitored until the completion of the process. Also, make sure you have checked that:

  • The data protection clauses included in the non-disclosure agreements are sufficiently secure
  • The data sharing agreements are enforced between the seller, buyer, and their agents, as deemed necessary
  • The data room is set up paying close attention to data security, keeping in mind the location where it’s hosted, how much data is shared across, how long will it be accessible, what access restrictions are required to restrict downloading and deletion of the data, and who all are authorised to access it
  • The Record of Processing Activities (RoPA) and privacy policies have been updated to clearly mention that the data may be shared to support the various phases of the M&A process
  • The sale and purchase agreement includes data protection provisions that will protect both parties, during various phases of the M&A process and beyond

Why Are Data Protection Considerations Becoming Important for Mergers and Acquisitions?

There are several security risks, such as data loss, for example, which may occur, during the due diligence process or after the transaction has already been successfully completed. This often means that the buyer’s best interests can’t be protected anymore.

So, considering the risk vs reward ratio, it’s crucial for buyers to give sufficient attention to data protection and privacy, even more so if your business belongs to the emerging sectors such as AI, the Internet of Things (IoT), FinTech, AdTech, ECommerce, and Life Sciences, that are known for high valuations and process a significant amount of valuable user data. 

Having said this, it’s common for data protection compliance to be as low as 5 percent in such industries, because of the high volumes of data being processed and the technical complexities. No wonder why business operation in sectors like Real-Time Bidding (RTB) is being closely monitored by the Information Commissioner’s Office (ICO). (read more about data protection considerations for the AdTech industry in our recent blog).

Final Thoughts

Having a comprehensive and well-structured approach towards the audit process for data protection is now more vital than ever for realising the best value for the business and successfully completing the M&A process, whether you are the buyer or seller. If you need any assistance with this, during the M&A transaction, but don’t want to invest into hiring a team of data protection officers, it’s advisable to get in touch with a consultancy that offers outsourced DPO services and has a reliable team of experts on board to take on the job.

Photo credits: