Data protection issues for corporate transactions

Personal data, being data that identifies a living person, underpins the majority of modern day technology businesses. You only have to think of the large consumer tech companies to imagine the information and personal data held.

The personal data is used for marketing purposes, customer service, but also as a form of revenue in the event a third party expresses interest. Personal data include name, address ,date of birth, address, email address, and must be processed in accordance principles of Data Protection Legislation. Businesses must also put in place appropriate technical and organisational measures to implement the data protection principles.

Data protection risks with corporate transactions

Data protection, including cybersecurity, is now becoming one of the major concerns for businesses in acquisition mode.

Business Buyers have become more aware of data protection and cybersecurity liabilities they could be inheriting as a result of an M&A transaction and so are using specific data protection and cyber security due diligence questionnaires to understand the target’s approach to privacy and cybersecurity. The focus on and importance of data protection and cybersecurity issues is likely to increase.

Lessons can be drawn from the ICO’s imposition of a £99m fine on Marriott Hotels in July 2019. Marriott acquired Starwood Hotels & Resorts Worldwide in 2016.

A data breach had occurred at Starwood in 2014 and affected the personal information of almost 400 million Starwood guests, of which about 30 million were in the European Economic Area (EEA), including seven million in the UK. The breach was first discovered in November 2018, some two years after completion of the acquisition.
In explaining the fine, the ICO alleged that its “investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood ….”

Representations, warranties and indemnities relating to data breaches

The above case highlights difficult for a buyer with a tight time line to access and fully inspect a target’s cybersecurity and any possible historical data breaches.

In practice a buyer will, having received replies to its data protection and cyber security due diligence questionnaires, rely on representations and warranties and possibly indemnities given by the seller and the target.

Limits on the amount and duration of claims relating to data protection and cyber security need to be given careful consideration in light of results of due diligence in these specific areas and the parties might also consider some form of cybersecurity insurance.

Data aspects of M & A transactions

Many businesses now operate with few or no fixed assets. These companies’ values are driven by database assets market reach. These companies are often purchased for large premiums.

Even where  data is not core to the seller’s business, data used and processed is likely to include employment contracts, sales contacts, pricing and highly confidential business critical know how, contracts with supplier and information about disputes.

Questions a buyer should raise about seller data and IP

A purchaser will want to try to assess potential liabilities and will raise questions such as:

  • Have all data flows been mapped accurately?
  • Where is the data stored?
  •  Is personal data transferred outside of the UK/EU?
  • Has data been obtained fairly and lawfully, with transparent privacy and consent notices?
  • Are all processing records accurate and up to date?
  •  What third parties have access to data?
  • With which third parties is data being shared and why? Have those third parties handled the data appropriately?
  • Are adequate agreements in place with data processors?
  • Have there been any claims or are there any potential claims/investigations in relation to data protection?
  • Have there been any data breaches?
  • Are there any outstanding responses to individuals’ rights requests such as Data Subject Access Requests?

What options does a buyer of a business have if there are issues with the sellers data handling?

  • Insist that the vendor rectifies issues prior to completion, in the form of a condition precedent;
  • Reduce the purchase price;
  • Request certain indemnities from the vendor so that the purchaser is compensated in the event financial damage is caused post completion;
  • Take out insurance.

The solution will often depend on the commercial bargaining power and the purchaser’s appetite for risk.

Selling your business? Seeking Investment? Prepare for data protection issues

Our client base is predominantly SMEs. The majority of these businesses may start off with attention focused on getting up and running and generating revenues, rather than data protection and cyber security.

Issues emerge when founders are looking to exit, or investment is on the horizon.

Enquiry is made by a potential purchaser or investors, and the business is found backtracking.

Moving to scale up stage requires a business to adapt accordingly and scale up its cybersecurity strategies in line with processes and technologies, and to adopt formal procedures and documentation for those procedures.

We can assist.

Why investors will take an interest in data protection

A company may qualify for SEIS/EIS. This may make the company attractive to investors. However, if the compliance with latest data protection legislation is lacking , an investor will not likely risk investing. In the old days an investor may have been more relaxed thinking fines were only dished out to large businesses by the ICO. Those days are gone.

John Deane is the head of our commercial team. John acts for vendors, purchasers, and investors.


John Deane

John solves commercial problems for SMEs and their investors. It is said that he is unbelievably practical and seasoned in finding the right solution without too much fuss. He has an established reputation in the technology, art and media industries.

Let us take it from here

Call us on 020 7438 1060 or complete the form and one of our team will be in touch.