1. Introduction
Due diligence compliance has always been an issue in M&A, but it seems to be increasingly cited as an area of concern for companies, especially now that GDPR has become law and is being enforced. What can practitioners do to help ensure deals don’t get left behind by these issues? The Boy Scout motto comes to mind, for one.
2. Be Aware
One year on from GDPR and it’s clear that the law is being taken seriously: over 50 million Euro in fines have been issued (May 2019) and the number of data breaches reported is expected to increase to 100% this year. Moreover, in early July, the UK ICO (responsible for enforcing GDPR in the UK) notified Marriott International that it intends to fine it 110 million euros. The fine relates to a cybersecurity incident with Starwood (which Marriott ultimately bought) where personal data from approximately 339 million Starwood hotel guest records was exposed. The ICO’s fine cited failure by Marriott to undertake sufficient due diligence in the acquisition of Starwood and that it should have done more to secure its systems, specifically stating that:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
This isn’t the first time data breaches have affected M&A deals: it happened with TripAdvisor and Viator, and Verizon and Yahoo, resulting in TripAdvisor losing a reported 517 million Euro in market cap, Yahoo being devalued by 312 million Euro and Marriott’s stock price slumping.
Should practitioners have anticipated these challenges? Perhaps, especially if you look at what M&A practitioners have said in recent studies 1:
- over 60% expect GDPR will increase acquirers’ scrutiny on the data protection policies and processes of companies;
- over 50% have worked on M&A transactions that have not progressed because of concerns around a target company’s compliance with GDPR;
- 78% expect data risks to be a challenge in the next year;
- 73% felt cybersecurity would also present challenges;
- 62% felt that their company faces significant cybersecurity risk acquiring new companies; and
- cyber risk is the biggest concern post-acquisition.
Graphic 1 • Q11. In the next five years what impact do you expect the EU’s General Data Protection Regulation (GDPR) to have on M&A due diligence?
Source: Due Diligence 2022, Merrill Corporation
Graphic 2 • Q12. Have you worked on M&A transactions that have not progressed because of concerns around a target company’s data/privacy protections and compliance with GDPR?
Source: M&A Due Diligence: Clients vs Advisers, Merrill Corporation
Graphic 3 • Q17. Which of the following technologies do you see as potentially having the most transformative impact on M&A due diligence over the long term?
Source: M&A Due Diligence: Clients vs Advisers, Merrill Corporation
M&A and GDPR: 5 Issues to Consider Early in the Deal Lifecycle
• Purpose, viability and value: Analyzing the original collection purpose of a target’s data is important because it can only be used for that purpose and therefore this could affect the value and viability of the transaction if it were collected incorrectly. Moreover, a buyer needs to verify that all data consents have been obtained in compliance with GDPR since a consent on file is not automatically GDPR-compliant. Thus, data-related risks and costs should be assessed early on.
• Terms and agreements: Data protection clauses are increasingly being used in NDAs since GDPR came into effect; moreover, data transfer agreements are becoming more common where transactions are crossborder. Warranties requested by purchasers are lengthier and more specific, as risks are now being assessed with regard to data and compliance. And as the ‘controller’ of the data changes upon sale and must be identified to impacted individuals, deal terms are increasingly including this timing and information.
• Due diligence/Virtual data rooms: More thought is being given to what data is being shared in data rooms, as well as how secure and GDPR-compliant those due diligence applications or virtual data rooms are. This also includes the establishment of proper processes for possible data breaches. Thus, redaction, watermarking and permissioning controls are taking on an ever more important role in the due diligence process, as well as evidence of GDPR compliance by the due diligence application or virtual data room provider.
• Integrated Redaction: Personal identifiable information is inevitable in any due diligence process. Ensuring that critical data is redacted before disclosing it to third parties is an important GDPR compliance step and a risk factor that needs to be properly managed and mitigated. Redaction can be extremely time-consuming, cumbersome and ripe for error. If redaction is integrated within a GDPR-compliant due diligence application, rather than by using an outside, third-party tool, then data breaches are minimized.
• Buyer/Seller Q&A: Q&A between sellers and potential buyers during the due diligence process can be ripe for security breaches, as well as mistakes, if done by email and spreadsheet. Moreover, GDPR now requires a written record of processing, data protection impact assessments, record-keeping regarding breaches, and, under certain conditions, the appointment of a data protection officer (DPO). Therefore, AI-powered tools and analytics can be extremely helpful in ensuring compliance during this stage of the due diligence process.
3. Be Prepared
The good news is that M&A practitioners believe that technology can solve some of their biggest challenges in due diligence, if they’re prepared to embrace it. They increasingly believe new technology will enable greater security, and AI and analytics, if used correctly, could make the process better and more efficient.
This all sounds like a positive step forward, but are M&A practitioners actually preparing for these changes and embracing technology for good in due diligence?
It seems that they are indeed ‘walking the walk’. Baker McKenzie says they are on a technological journey in terms of due diligence, using virtual data rooms to be more efficient and AI software for contract review, with the plan to more heavily rely on AI and other technologies for the more commoditised aspects of due diligence. “Where there is the technology to review documents with a degree of accuracy we should absolutely be embracing that, with lawyers providing the more strategic input and supporting clients to make judgements on risk,” says Jannan Crozier, Partner at Baker McKenzie. “We want to ensure that lawyer time can be used more effectively and efficiently for our clients.”
And Janis Dzenis of Luminor, the third-largest bank and financial services provides in the Baltic region, agrees new technologies such as AI and data analytics can further enhance the due diligence process, potentially automating specific areas. “I see no reason why we couldn’t do partial automation of due diligence development via data analytics and visualisation. AI has the potential to provide scenario analysis such that professionals would ‘just’ have to make the final decision.”
So, if you stay aware and are prepared, including keeping abreast and using the latest technology, deals might just stay on course and not get knocked off track.