Transactions involving companies with data
Data underpins the majority of modern day technology businesses. You only have to think of the large consumer tech companies to imagine the information and data held. The data is used for marketing purposes, customer service, but also as a form of revenue in the event a third party expresses interest. The data includes personal information, such as dates of birth, addresses, contact details, and gender. The data must be held in a manner that is compliant with data protection regulation.
Data protection businesses – sale or purchase
Some of these businesses operate without any fixed assets. These companies’ values are driven by the data held and market reach. So, it is no surprise to see companies of this kind purchased for large premiums.
Data protection due diligence – acting for buyer
When purchasing a business of this kind, the due diligence exercise has to be thorough. There are often little to no fixed assets. Data is the asset. Enquiries should be made so as to ensure that:
- The business has the full and informed consent to handle, transfer, and process data on behalf of its customers;
- The business has appropriate data protection policies in force internally;
- Any third parties contracting with the data company for the licence or sale of data have given certain warranties and indemnities to the data company;
- If the company transfers or processes data outside the EEA, it does so in accordance with the guidelines provided by the Information Commissioners Office (“ICO”);
- There is a suitable disaster recovery plan in place, together with appropriate insurances.
The list of enquiries is endless and will of course be subject to the trading activities of the target company.
Addressing risk as a purchaser
What options does a purchaser have upon learning of a prospective issue with the target company’s data handling? The purchaser may:
- Insist that the vendor rectifies issues prior to completion, in the form of a condition precedent. Example being the vendor settles any outstanding court claims relating to data protection;
- Reduce the purchase price;
- Request certain indemnities from the vendor so that the purchaser is compensated in the event financial damage is caused post completion;
- Take out insurance.
The solution will often depend on the commercial bargaining power and the purchaser’s appetite for risk.
Data protection claims
A 2015 court case confirmed that a data subject (individual) can claim damages for distress from a company in the event that the individual’s data is compromised. This has resulted in an increase in claims from data subjects.
A purchaser should flush out any outstanding or prospective data claims. The damage does not stop with the individual claims, as the ICO may commission its own investigation which will likely result in penalties.
Data company purchases – acting for seller
Our client base is predominantly SME’s. The majority of these businesses may start off with little to no thought about data protection. The businesses then scale up but there is often no thought about updating data protection policies.
The issue then emerges when the founders are looking to exit, or investment is on the horizon. Enquiry is made by the purchaser or investor, and the business is found backtracking. We work with targets to get data protection houses in order to streamline a sale or investment process.
Data companies – investments
A company may qualify for SEIS/EIS. This may make the company attractive to investors. However, if the data principles of the company are not up to standard, an investor will not likely risk investing.
GDPR is due to come into force in May 2018, and the regulations increase the potential fines that the ICO can impose on companies. There is a shift towards active compliance – it is time to think now.
John Deane is the head of our commercial team. John acts for vendors, purchasers, and investors. Please do not hesitate to get in touch with John if you have any queries.