Among the most important assets that get transferred in an acquisition is the data the buyer will need to run the business. Product and service specifications are just the beginning. Customer information, including pricing information, key contacts and credit history will be of critical importance. Supply chain data is another crucial area, and buyers will probably want access not only to contracts but records of negotiations and any past issues that may have arisen in relation to quality, on time deliveries and so on.
Some of that information may be subject to GDPR regulations, particularly in the case of consumer businesses such as retailers who have collected personal data on their customers.
Those regulations definitely apply to the sharing of employee data. That is quite a complex area as information on employees, their pay and conditions and so on will need to be shared long before a transaction is complete. Sellers must take care to ensure that data shared at due diligence stage is aggregated, does not contain employee names, and that individual employees cannot be identified. Only on completion should the full data be shared and even then the employees need to be notified that it is happening.
In addition, information on former employees may need to be shared and they must be informed as well.
The transfer of all that data, along with financial records and other information is a very complex undertaking particular when it is in an unstructured form. Buyers need to be sure that nothing of substance has been left out and that no one’s rights have been infringed during the process.
“Above all, a comprehensive due diligence exercise followed by thorough warranty and indemnity provisions in the transaction documentation, ideally with a retention of some of the purchase price for an agreed period post-acquisition, should ensure all relevant data has been provided, and if it hasn’t, the buyer should have recourse,” advises John Given, managing partner and head of M&A with KPMG Law LLP.
Data is often held in digital and physical formats, and this can add to the complexity of the transfer. “We tend to see digital formats being the preferred option for transferring data,” says Emma Ritchie, director and head of data, digital and technology with KPMG Law LLP. “Ensuring that data is encrypted, both in transit and in rest, and will be stored in a country that has similar legal thresholds as the EU are important first steps. If unsure, speak to a data security expert to ensure that the data will be safely transferred and stored.”
Virtual data rooms (VDRs) are very much the norm in M&A transactions, according to Given. “Assuming they are appropriately populated and maintained, the use of a VDR enables efficient and cost-effective due diligence – buyer review – exercises to be carried out without the need for physical exchange of documentation or physical data rooms.”
Data security is also an issue during transfer and organisations need to put measures in place to protect its integrity and prevent damaging leaks.
“It’s important for organisations to ensure that when using third-party service providers to facilitate data transfers that they are reputable and are subject to strict contractual requirements to ensure the confidentiality and security of any documents, particularly those containing sensitive or confidential information, and of course, where personal data is involved, to ensure that GDPR requirements are met for data sharing,” Ritchie advises.
“Where data is being transferred in the cloud, it’s critical to understand what countries the data will be transferred to. Again this is particularly important to comply with GDPR requirements when personal data is involved.”
KPMG EU AI hub director Sean Redmond points to other considerations that come into play.
“There are operational factors to consider,” he points out. “To protect data integrity and prevent leaks during transfers, a multilayered approach, which at a minimum should include encrypting data both at rest and in transit, access controls and multi-factor authentication to limit exposure, and maintaining real-time audit trails to monitor movement and detect anomalies. These potentials should be foundations within an organisation’s broader ICT and cyber framework.”
