Key data protection considerations for a business prior to selling

By Beverley Flynn,  left, head of data protection at law firm Stevens & Bolton and Laura Burge, right, a trainee solicitor in the team

In order to enhance the value of a small- or medium-sized business for the sale process and to avoid any onerous requirements on sellers to give indemnities on a sale, it is wise to bear in mind the key data protection obligations prior to selling your business.

The UK GDPR includes general data protection regulations, the Data Protection Act 2018, and the Privacy Electronic Communications Regulations (EC Directive) 2003 (UK GDPR) –and there can be significant consequences for businesses for failure to comply. These can include fines, damage to reputation, and regulatory investigation – all penalties which can hit small/medium businesses particularly hard. It is therefore important to ensure your business not only complies throughout its life, but in particular during the sale process to avoid a price chip.

In addition, where a business has a connection with the EU, it may be required to comply with the EU GDPR as well. It is worth noting that these two regimes, although complementing each other, can differ.

What is personal data?

Personal data can include, amongst other things, individual data (e.g. name, gender, age), advertising data, IP address, and essentially any personal information relating to an identified or identifiable person (whether identifiable directly or indirectly).

There are typically four main areas of personal data a business, no matter its size, is likely to process:

  • employee data
  • supplier data
  • customer data
  • third party data

How can I ensure my SME business is compliant with UK GDPR in readiness for a sale?

Notification: Consider if the business has or needs to be notified with the Information Commissioner’s Office (ICO) and paid the associated fee (unless otherwise exempt).

Privacy notices: Does the business have appropriate privacy notices in place? Typically, these include notices to third parties (often on the business’s website), and employee and recruitment notices (each of which differ).  Article 13 of the UK GDPR dictates what information is to be provided when personal data is collected from the data subject. Your business privacy notice should detail the personal data being processed, how it will be used, and, in particular, that the personal data may be used to finance, restructure, sell, make ready for sale, or dispose of the business to any potential buyer and their advisors.

Record of Processing Activity (“ROPA”): Article 30 of the UK GDPR requires each business to keep a record of its processing activities. This record will capture details ranging from where the personal data is collected to how it is processed, stored, and deleted. This record is mandatory for your business to have and can be subject to an audit by the ICO.

Record of data breaches: A data breach record is required by law to help evidence the steps a business has taken to mitigate the risks associated with a data breach. It details all data incidents, including information on when the breach occurred, who it involved, the type of data subject to the breach, its impact, and how it was dealt with.  A data breach log can be requested by the ICO as the supervisory authority if the business is audited, and buyers will also expect to see the record, so it is key for your business to ensure not only that it has a log of such incidents, but also that it is kept up to date.

Data Retention Record: Data retention is a key component of the storage limitation principle under GDPR, which affirms that personal data must not be kept for longer than necessary. The business should have a data retention policy in place which specifies the retention period for any personal data used and the criteria for determining the retention period, and the business should be able to demonstrate it has actioned the retention periods.

Data Processing Agreement (DPA): Where processing of personal data is to be carried out by a processor on behalf of a controller, the parties must put in place data processing agreements which must be in writing and meet the requirements of Article 28 of the UK GDPR.  Examples include where the business as data controller appoints data processors such as IT providers, outsourced help desks, data hosting, or payroll providers. The agreement should cover a large number of issues to ensure that the processor provides sufficient guarantees to implement appropriate technical and organisational measures, as well as audit rights and obligations to erase or hand back the personal data on termination.

Policies and procedures: One of the many principles of the UK GDPR is the obligation to demonstrate accountability. The accountability principle requires the business which processes the personal data to take responsibility and be able to demonstrate how it complies with the other data protection principles. A business’s internal policies are vital to ensure employees handle personal data in a way that is compliant with UK GDPR. Internal policies such as a data protection policy and guidance and security policies are not just important for the day-to-day running of a business, but when it comes to selling your business these polices will both be requested by the buyer and provide evidence that the business has been accountable for its compliance with GDPR.

Transfers outside the UK or EEA: Consider whether any data is to be transferred outside the UK. Under the UK GDPR, there is a general prohibition on the transfer of personal data outside the UK (referred to as a restricted transfer) unless: there is an approved Article 46 transfer mechanism in place (such as the ICO’s International Data Transfer Agreement or the EU Standard clauses and the UK Addendum to those clauses); the recipient country is subject to an adequacy decision (the EU is currently deemed adequate); or other derogations apply. This is to ensure that the level of protection of data subjects provided for by GDPR is not undermined.

How can I ensure the sale process is compliant with UK GDPR?

It is important to note that the processing of personal data is a key issue at various points throughout the whole process of a sale. Disclosure of information about the business which may include personal data is an integral part of the sale process, so it is important to take into account personal data and UK GDPR considerations during the process – all businesses are subject to these obligations, and whilst different SMEs will be more affected by some requirements than others, it is essential that SME business owners have awareness across all data protection concerns. The issues will also differ depending on whether the sale is an asset/business sale or a share sale.

Data Rooms (VDR)

Prior to sale, information about the business collected for potential purchasers may well be uploaded to a virtual data room. From a UK GDPR perspective, VDRs can be helpful in being able to restrict and control who has access to the information being disclosed. Given the nature of the information processed in a VDR, it is key to have a strict degree of security, particularly over the information that constitutes personal data.

When using a VDR as a seller there are several steps you can take to mitigate the risk. In the first instance, it is important to redact and/or pseudonymise any names or personal data included – particularly anything relating to employees or special data such as health data.

It is also essential to undertake due diligence on the service provider providing the data room, for example considering whether it offers sufficient security controls, data reporting, and/or analytics that would be useful in the event of a breach.

Scrutinising what users have access to is another beneficial line of enquiry. For instance, sellers should restrict users from being able to download or print documents, and limit the number of users who are pertinent to the transaction.

Finally, there are two agreements which, if put in place robustly, will further help minimise risk. Firstly, sellers should enter into a Data Processing Agreement with the data room provider. Alongside this, they should also enter into a confidentiality agreement with the prospective purchasers.

If the above is carried out carefully, VDRs can enhance selling processes rather than be a source of data protection worries.

UK GDPR can raise a myriad of concerns but, if handled sensitively and appropriately in advance of the sale, can actually help lead to a more streamlined sale process for SME businesses.