GDPR law: Guidance for M&A
If your company is currently involved in or considering a merger and acquisition, you’ll need to ask a very important question: Do you know if the other business entity needs to be GDPR compliant? There are three critical questions that every US company should be asking about GDPR compliance.
In an M&A, the issue of GDPR compliance becomes increasingly complex. If your company buys or merges with another business, then your company becomes liable for any fines that may arise due to a lack of GDPR compliance on part of the just-acquired entity. Those fines are significant: up to $23MM, or 4% of a company’s worldwide revenue from the prior year, whichever is greater.
There are two main M&A scenarios that can impact GDPR compliance.
Scenario 1: The target is compliant
It’s possible that your company was previously unaffected by GDPR, but now the newly-merged company has EU resident data in your company’s systems after the acquisition. In this scenario, technical due diligence should include an assessment of what would be required to bring your company into a state of compliance. This will include an examination of how both companies would handle any personal data covered by the regulation—the systems, processes and data states affected by GDPR.
If your company is subject to GDPR and was previously compliant, you must actively maintain GDPR compliance as you rationalize/integrate applications, or otherwise use personal data.
Scenario 2: The target is not compliant - but needs to be
If your company was unaffected by GDPR or in compliance before the acquisition, it will be affected now because the post-M&A business entity will have EU residents’ data contained within its systems. Therefore, your company needs to establish across-the-board compliance.
It’s important to verify a potential M&A target’s claims in terms of its GDPR status as there is a significant time and financial commitment associated with maintaining GDPR compliance. This becomes quite clear when you consider the GDPR’s very broad definition of personal data. Additionally, you will want to evaluate the processes for the GDPR’s new rights of data subjects, such as responding to the right of erasure or responding to data portability requests using an appropriate digital format, and when possible transmitting the requested data directly to your competitor. Subsequently, you may discover that there’s a very high cost associated with achieving and maintaining compliance. In some cases, this cost may negate the financial benefits of the M&A.
GDPR guidance: Other key considerations during the M&A process
GDPR compliance can be quite challenging because the regulation is designed to be far-reaching. The objective is to harmonize and modernize data protection laws to account for the Internet, digital marketing, social networks, and other data tracking capabilities, and to give EU residents a great deal of control over how their personal data is handled. It’s not just consumers, either. Citing the “right to be forgotten” provision, employees can demand that you erase personal data if it is no longer necessary. This is especially pertinent to M&As, as it is not uncommon for the newly-merged company to see layoffs or a higher-than-average turnover rate amongst employees during that transition.
If you’re involved in an M&A or are considering the possibility of a future merger, you’ll want to ensure that both you and your target, as well as the combined entity, are fully GDPR compliant.
Need help with data privacy compliance?
See how Logic20/20 can help.
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Follow Jill on LinkedIn