One of the essential steps to building a new business, whether you’re starting from scratch or purchasing a company, is evaluating your assets. Most new business owners don’t realise that personal data is one of a company’s most valuable assets and that it should factor into the buying of a business.
When you’re looking to acquire a new company, you have to make data protection one of your priorities. Ask yourself these four questions to better understand the process:
- Is the seller allowed to transfer the personal data?
- How are you allowed to use the data?
- What are the potential data protection liabilities?
- How are you protecting data during the transaction process?
Let’s look at each question in more detail and discuss the potential implications.
- Is the Seller Allowed to Transfer the Personal Data?
The first question to ask when considering purchasing a company is whether the current owner has the right to transfer the personal data they’ve collected to you. Until the GPDR took effect a few years ago, most businesses thought that the data they collected on customers, employees, vendors, and other stakeholders was free for them to use how they pleased. Companies could use this data for marketing purposes and earn a profit from it.
However, the GDPR established the rule that personal data belongs to the data subjects. Companies who collect data may not transfer it whenever and however they please. As a result, the seller of a business may not be able to transfer their personal data to you.
A few specific situations that could prevent the seller from transferring the data to you include:
- The seller’s privacy policies do not allow for the sale of the business or change of ownership
- The consent that the data subjects have provided cannot be transferred
- The seller is processing data on behalf of a third party and the data-sharing agreements don’t allow for change of ownership or control
- How Are You Allowed to Use the Data?
Transferring and using the data present different implications. Even if the seller has the right to transfer the personal data to you, you must consider how you plan to use it. Depending on your purposes for the data, you may face restrictions.
If you are not planning to use the data for the same purpose as its previous owner, will you still have a lawful basis for processing it? You may choose to use consent as a lawful basis. In this case, you need to ensure that the data subjects’ consent is transferable. If it isn’t, you may have to renew consent.
Think about where the data will be stored and processed after the purchase of the company is complete. If it’s stored outside the EU, it should be in a country considered adequate by the European Commission.
Also, consider who you will share the data with. You must have appropriate data sharing agreements in place to share the data with third parties. If you’re relying on the original business owner’s data-sharing agreements, it’s possible to legally re-assign them.
- What Are the Potential Data Protection Liabilities?
As a new business owner, you may be taking on the seller’s liabilities. You can understand what the data protection liabilities of your new business are by conducting a thorough audit of personal data protection measures that the previous owner had in place.
An audit should include some of the following considerations:
- Are the Records of Processing Activities up to date?
- Did they maintain comprehensive consent records?
- Have there been any data breaches?
- Have they catalogued and mapped personal data accurately?
- Have they completed robust DPIAs for high-risk data sets?
- Did they obtain the data fairly and lawfully, with transparent consent and privacy notices?
- Have they completed Legitimate Interest Assessments if Legitimate Interest is the lawful basis for collecting personal data?
- Have they shared the data with another entity and have other processors handled it appropriately?
- How Are You Protecting Data During the Transaction Process?
When you’re buying a company and building a new business, you must consider data protection during the transaction process. The seller, you, and your advisors will have access to the data increasingly as the process moves forward, so you must put proper protection measures in place.
Ensure that non-disclosure agreements have robust data protection clauses and that you put data-sharing agreements in place. Also, update the Record of Processing Activities throughout the transaction process to reflect the fact that the parties are processing personal data as part of the merger or acquisition.
Another consideration is the data room. Secure it and only let authorised personnel access it. Only retain data for as long as needed to evaluate and conduct the transaction.
Making Data Protection Part of Your New Business
Building a new business is exciting, but there are many details to attend to. Because processing personal data is technically complex, many new business owners overlook it. It’s vital that you make data protection a priority, however, in order to remain compliant with relevant data protection authorities. Your business may benefit from appointing a data protection officer (DPO) or using outsourced DPO services.
Personal data is also immensely valuable to your new business, so it’s worth making efforts to protect.