Data underpins the majority of modern day technology businesses. You only have to think of the large consumer tech companies to imagine the information and data held. The data is used for marketing purposes, customer service, but also as a form of revenue in the event a third party expresses interest.
The data includes personal information, such as dates of birth, addresses, contact details, and gender. However, private banking information is also held.
Some of these businesses operate without any fixed assets. These companies’ values are driven by the data held and market reach. So, it is no surprise to see companies of this kind purchased for large premiums.
When purchasing a business of this kind, the due diligence exercise has to be thorough. There are often little to no fixed assets. Data is the asset. Enquiries should be made so as to ensure that:
The list of enquiries is endless and will of course be subject to the trading activities of the target company.
What options does a purchaser have upon learning of a prospective issue with the target company’s data handling? The purchaser may:
The solution will often depend on the commercial bargaining power and the purchaser’s appetite for risk.
A 2015 court case confirmed that a data subject (individual) can claim damages for distress from a company in the event that the individual’s data is compromised. This has resulted in an increase in claims from data subjects.
A purchaser should flush out any outstanding or prospective data claims. The damage does not stop with the individual claims, as the ICO may commission its own investigation which will likely result in penalties.
Our client base is predominantly SME’s. The majority of these businesses may start off with little to no thought about data protection. The businesses then scale up but there is often no thought about updating data protection policies.
The issue then emerges when the founders are looking to exit, or investment is on the horizon. Enquiry is made by the purchaser or investor, and the business is found backtracking. We work with targets to get data protection houses in order to streamline a sale or investment process.
A company may qualify for SEIS/EIS. This may make the company attractive to investors. However, if the data principles of the company are not up to standard, an investor will not likely risk investing.
GDPR is due to come into force in May 2018, and the regulations increase the potential fines that the ICO can impose on companies. There is a shift towards active compliance – it is time to think now.
John Deane is the head of our commercial team. John acts for vendors, purchasers, and investors. Please do not hesitate to get in touch with John if you have any queries.