GDPR – Impact on M&A Deals
Merrill Corporation have published a white paper on the EU’s General Data Protection Regulation and its far reaching implications for M&A. It’s a free download (though registration may be required).
The GDPR comes into effect on May 25th, 2018 and is probably the world’s most comprehensive reform for the protection of personal data. It creates standards for data protections across all EU countries and creates further blue water between EU citizens and US citizens when it comes to the protection of personal data. EU citizens get enhanced rights, shoring up of existing rights and new rights (such as the right to be forgotten).
Businesses outside of the EU need to be aware of GDPR as it applies to them as well if they are selling to consumers based in the EU.
In M&A activity, acquirers would need to exercise caution and conduct appropriate due diligence to ensure that any target company subject to GDPR has been compliant with the provisions of the legislation. Many companies will need to have a “Data Protection Officer” and companies based outside of the EU who collect / process data will need to appoint local representatives as their point of contact for EU data protection officials.
One of the most critical changes looming with GDPR is the requirement that businesses notify authorities in member states within 72 hours of becoming aware of a data breach. That is a significant acceleration in the notification process, considering companies are often still attempting to understand the scope of
a breach within that time frame. They are also required to report the breach to the data subjects “without undue delay.”
There are stiff penalties for non-compliance and fines can extend to 4% of a company’s global revenue.
The opportunity here is that many businesses based outside of the EU are expected to re-evaulate their RoI on EU activities and decide to sell off divisions, or companies, rather than risk high penalties. According to a survey by PwC nearly one-third of respondents said that they were planning on reducing their activity in the EU.
For UK (or EU) firms looking to make acquisitions, this withdrawal of American and other cross border competition may result in lower prices. For business owners, particularly owners of businesses likely to have cross-border appeal, the withdrawal (or reduction) of foreign investors may prove detrimental to multiples.
Undoubtedly, the big impact will be around due diligence:
“Additional diligence at all stages of the M&A process will be paramount,” wrote Gail Crawford, a partner at Latham & Watkins and chair of the firm’s Internet & Digital Media Industry Group. Crawford added that there should be a greater emphasis on verifying important compliance features, including:
+ The existence of data protection officers
+ Records of data processing activities
+ Whether the entity generates privacy impact
assessments for new projects
“Understanding how a target collects, stores, uses and transfers personal data will be vital in understanding the valuation and risk associated with a transaction,” she stated.
If a target is not in compliance, appropriate price reductions, indemnities, covenants or rectification of non-compliant issues would be wise. In a recent deal, Yahoo! Inc’s sale to Verizon communications was discounted by $350 million as a result of past data breaches coming to light!
Sound practice for vendors is to ensure proper documentation and evidence of meeting all GDPR regulations. Failure to do so could deals failing to complete or the acquirer demanding discounts for the data that is considered “unusable”.
As Deloitte’s Peter Gooch, cyber risk services partner, observed: “Organisations should not see this as just a regulatory compliance program. Having the right privacy requirements embedded into an overall customer engagement strategy can also be a competitive advantage.”
Clarity has a report on beneficiaries and the implications for the M&A market.
Primitive Logic and the NCC Group look at GDPR related compliance and due diligence in M&A transactions.
GDPR’s impact on M&A is global and not limited to firms based in the EU.
For advisers, GDPR is an opportunity for adding value.