Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationLatest NewsMergers and acquisitions

GDPR: Managing privacy is now key to mergers and acquisitions

by Tim Bird 24 May 2019
by Tim Bird 24 May 2019 Shutterstock
Shutterstock

This weekend marks a year since the introduction of the General Data Protection Regulation. Tim Bird examines how worrying gaps in data protection could be hampering the growth of many promising businesses.

With the notable exception of the €50 million (£44 million) fine levied on Google by the French data regulator for the tech giant’s “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”, some of the frenzy around GDPR is starting to subside.

As the dust settles, and companies turn their attention back to other matters – such as growing their business through mergers and acquisitions (M&A), disposals, joint ventures, private and public fundraisings – it is becoming clear that many are still lacking adequate privacy policies.

In the past, privacy matters, if they were thought of at all, tended to be considered at a late stage in an M&A transaction and dealt with hastily and perfunctorily.

Now, in the post-GDPR age, robust privacy policies are becoming essential to kick-start corporate transactions.

Lawyers are urging clients to consider privacy as early as possible in the pre-transaction process, with the aim of attracting investment in the first place and minimising surprises later on, which threaten to send deals of all sizes off the rails prior to completion.

It is not unheard of for privacy problems to become apparent once a deal has been completed – a situation which can result in lengthy and expensive litigation.

Due diligence

Privacy expertise will usually be drafted into a corporate M&A transaction during the due diligence phase, which typically lasts two-to-three months or more, depending on the size and nature of the deal.

In the post-GDPR age, robust privacy policies are becoming essential to kick-start corporate transactions”

Due diligence gives the seller an opportunity to disclose the extent to which they are GDPR-compliant, including details of any known data breaches.

The buyer’s lawyers have the chance to “red flag” any privacy concerns they come across in their due diligence work.

The M&A agreement can then be amended and warranties and indemnities drawn up to reflect the privacy disclosures, removing any data protection stumbling blocks further down the line.

Post-GDPR, lawyers are increasingly seeing issues in the post-merger integration (PMI) phase that have arisen as a result of privacy lawyers’ due diligence – issues won’t prevent the buyer from closing the deal, but which are significant and which the company and its advisers will want to put right post-acquisition.

In the run up to the implementation of GDPR, many companies took non-legal advice from advisers and consultants, which tended to focus on mapping data flows and other functional aspects of their data collection and storage, which they believed were sufficient to comply with GDPR.

However, in lots of these cases, the companies had failed to look in practical terms at what GDPR meant for their underlying contracts and their relationships with customers – and it turned out that, despite having forked out on costly privacy exercises, many were, in fact, not GDPR-compliant at all.

Early mover advantage

After a year of living with GDPR, it is important to stress that privacy is not just a box-ticking exercise for lawyers, or even simply something companies have to do to avoid fines.

Taking advice on privacy is increasingly a condition for companies to invest into other companies, so getting data protection input can be pivotal to a company receiving the funding they need to grow the to the next level.

Companies therefore need to be willing to cooperate with their advisers and recognise that privacy is more than just a compliance issue, but a vital value indicator in M&A”

As companies grow, they find they can negotiate with more authority and sign contracts according to their own terms and conditions, rather than those of their often larger, more powerful customers.

When negotiating with large customers, it’s helpful for a company to be able to say it has thought about privacy in its policies and procedures, both on its internet portal and in its Ts and Cs.

Rubber-stamping a company’s privacy policies will usually be a judgment-based assessment and will depend on the nature of the business.

If the business only holds HR and customer data, these records are common to any business and means lawyers can take a standard approach. Increasingly though, companies of all kinds hold large marketing databases as part of their sales and customer outreach functions.

A buyer of that company will want to know how the consents for those marketing contacts were gathered and whether or not they can legally continue to use that data.

Failing to spot an issue which ultimately leads to a cyber breach can also cause huge reputational damage to a business that ultimately destroys the value of an M&A transaction.

More carrot than stick

In a carrot-and-stick approach to GDPR, the stick has certainly been more vigorously brandished over the last 12 months  but, the Google fine notwithstanding, penalties for GDPR non-compliance have been slow to materialise.

Perhaps more significantly for businesses, there is also a clear marketing benefit in having enhanced privacy policies and provisions.

Larger players in the M&A market now expect consideration of GDPR to be embedded in their targets, so those that do not may find themselves dropping off shortlists for acquisitive investors.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Companies therefore need to be willing to cooperate with their advisers and recognise that privacy is more than just a compliance issue, but a vital value indicator in M&A.

As GDPR is only a year old, market practice around privacy and data protection continues to develop, so approaches by businesses and their advisers need to be fluid.

Tim Bird

Tim Bird is a corporate partner in Fieldfisher's privacy, security and information and cyber security teams.

previous post
Promote flu vaccination as a ‘positive lifestyle choice’
next post
A third expect to be working into their seventies

You may also like

Benify and Benefex merge to become Benifex

12 Feb 2025

Up to 2,300 jobs at risk as Aviva...

23 Dec 2024

Royal Mail takeover approved, staff to receive dividend

16 Dec 2024

Herbert Smith Freehills and Kramer Levin law firms...

12 Nov 2024

What do mergers mean for people management?

8 Oct 2024

Nationwide set to retain Virgin Money staff in...

7 Mar 2024

Yodel acquisition saves thousands of jobs

13 Feb 2024

Tesco Bank staff to transfer to Barclays

9 Feb 2024

Microsoft slashes 1,900 gaming jobs

26 Jan 2024

SOM and COHPA to merge

25 Jan 2024

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+