Speaker at whiteboard in front of class

Merrill Corporation


Preparing for the GDPR: 6 things to consider

Felicia Asiedu, Merrill Corporation

During our recent GDPR webinar, we unpacked some topics regarding the new regulation and the potential impact on organisations both within and outside of the EU.

Some key take-aways were:

  • The GDPR is an opportunity…for businesses to look at where and how their data is being acquired, stored and shared and to review who has access to it. Companies with their customers at heart have an opportunity to develop a relationship of trust in the digital economy by taking care of their data. 
  • There is nothing to fear…even though this is a material change in the law and there is a healthy amount of scaremongering with regards to fines, in reality, much of the framework to support compliance is already in place. In many cases, all that will be needed is some enhancement of what is already there. And rather than be intimidated, businesses outside the EU should view this as a chance to step up their management of personal data to align with a regulation that addresses today’s privacy challenges.   
  • Non-compliance may not be a deal breaker… data breaches are becoming more prevalent, and so when looking at the M&A process, the risks associated with the GDPR are similar to those that already exist. The key is to identify a target’s potential privacy shortcomings during due diligence, understand the impact on valuation and how to mitigate or remedy for a successful deal outcome. 
  • The importance of vendor management is heightened…under the GDPR it is expected that due diligence be conducted on third-party suppliers to ensure they process personal information in accordance with strict instructions and implement appropriate security measures. It could be a good idea to invest in a vendor management program as the increased responsibility of third-party vendor management could prove to be fairly arduous. 
  • Preparation is key… based on a poll taken during the webinar, most businesses feel relatively prepared for the new regulation. In the M&A context, the more prepared businesses are to review and share paperwork, the less risk there is of being exposed to fines and deals being delayed.
  • The GDPR will drive due diligence…the increased risk of an acquirer’s exposure to litigation, fines and regulatory scrutiny will drive behavioural changes resulting in a more thorough due diligence process. When it comes to cyber security, buyers are likely to have more stringent, detailed warranty requests. As cyber security becomes a material risk, the focus on indemnity provisions is also likely to intensify.