The General Data Protection Regulation (GDPR) will apply in the UK and across all other EU member states with effect from 25 May 2018.

The GDPR will apply to all businesses controlling and/or processing personal data of EU residents, regardless of where the businesses are based (even if they are based outside of the EU). 

It is important that a purchaser undertakes, or instructs their solicitor to undertake, enhanced due diligence on a target business’s data processes and systems, to ensure it is complying or taking steps toward complying with the GDPR. This is important because the fines for non-compliance are significant, with the maximum fine being €20 million, or 4% of an organisation’s total annual revenue for the preceding financial year, whichever is higher. 

I would expect to see particular focus on contractual protection for purchasers in any business transfer agreement or share purchase agreement relating to data protection compliance, especially if the findings of a due diligence process unearth non-compliance or little to no steps being taken towards compliance with the GDPR. In those circumstances, a wide range of remedies, such as warranties, indemnities and/or a conditions precedent seeking to address non-compliance should be sought.

Depending on the structure and type of transaction, a purchaser may wish to integrate assets and data into their own business, which in itself can raise compliance issues. Consideration of the basis of processing data, including consents, should be a priority. Any consent given by clients and/or customers of a target business may need to be re-established if the way in which data is going to be used is changing after completion of a purchase.

If there is to be a restructuring of the workforce after completion of a business purchase, the GDPR will enable departing employees to demand their personal data is removed from systems unless the business is required to keep the data. In addition, particular attention should now be paid to whether or not a target company or business needs to appoint a Data Protection Officer.

If you would like to discuss this matter further, please do not hesitate to contact me on 01245 453847 or alternatively email me at thomas.emmett@birkettlong.co.uk.