Groups of associates seated at conference table

Merrill Corporation

Blog

Happy Birthday, GDPR!

By Suzy Bibko, EMEA Content Marketing Manager, Merrill Corporation

It’s now been one year since the EU’s General Data Protection Regulation (GDPR) came into force. What have we learned? Well, quite a bit as it turns out.

Keep Groaning
First, the groans (and the cheers) surrounding the law appear to have been justified. According to our own survey of EMEA M&A practitioners (Due Diligence 2022), over half of respondents (55%) believe that transactions did not progress because of concerns around a target company’s data/privacy protections and compliance with GDPR. And 66% believe that GDPR would increase acquirers’ scrutiny of the data protection policies and processes of target companies, further complicating the deal-making process. Not great news for deal makers; but on the flip-side, this demonstrates an increased focus on data protection and adherence to the new law.

GDPR graph

Unto the Breach, Once More
Second, the law is being enforced, or will be enforced, and companies are paying attention as mentioned above. Although some believe the number and level of fines issued is low, data protection agencies have issued fines totalling EUR56 million for GDPR breaches (May 2019) since the law was enacted, with EUR50 million fined to Google by France’s CNIL and the remainder made up of various amounts to mostly smaller companies. Watchdogs say this is just a start, and it is technically still early days, with regulators focused on the most high-profile and serious breaches for now.

Moreover, the European Data Protection Board (EDPB) has said that over 200,000 cases were reported in the first nine months of enactment, with around 65,000 initiated due to a data breach reported by a data controller and 95,000 as complaints. And it has been estimated that about 400 data breaches are now being reported each month and are expected to reach 36,000 this year, up from 18,000 previously – a 100% increase.
(EDPB LIBE Report on the Implementation of GDPR, EDPB, February 2, 2019; Year 1 of GDPR, The Register, March 14, 2019).

“It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace...[W]e want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.” 
Andrea Jelinek, Chair of the EDPB
(1 year GDPR – taking stock, EDPB, May 22, 2019)

Coordinated Cooperation
Third, going forward, there is concern that class action-style litigation could increase on the back of large data breaches. Moreover, as there is no one agency overseeing all GDPR compliance, there is potential for massive discrepancy in fines, and interpretation of and adherence to the law. However, there is recognition between agencies that it is in their best interest to coordinate compliance. Year two should prove interesting as these issues are worked out.

M&A Considerations
In terms of M&A, GDPR is proving that certain issues should be considered as early as possible in the lifecycle of the deal. Key areas include:

  • Purpose, viability and value: Analyzing the purpose a target’s data was originally collected for is important – because it can only be used for that purpose, and therefore this could affect the value and viability of the transaction. Moreover, a buyer needs to verify that all data consents have been obtained in compliance with GDPR; a consent on file is not automatically GDPR-compliant. Thus, data-related risks and costs should be assessed early on.

  • Terms and agreements: Data protection clauses are increasingly being used in NDAs since GDPR came into effect; moreover, data transfer agreements are becoming more common where transactions are cross-border. Warranties requested by purchasers are being lengthier and more specific since GDPR came into effect, as risks are now being assessed with regard to data and compliance. And as the ‘controller’ of the data changes upon sale and must be identified to impacted individuals, deal terms are increasingly including this timing and information.

  • Due diligence/Virtual data rooms: More thought is being given to what data is being shared in data rooms, as well as how secure and GDPR-compliant those due diligence applications or virtual data rooms are, including ensuring the proper processes are in place for data breaches should they occur. Thus, redaction, watermarking and permissioning controls are taking on ever more importance in the due diligence process, as well as evidence of GDPR compliance by the due diligence application or virtual data room provider.

  • Integrated Redaction: Personal identifiable information is inventible in any due diligence process. Ensuring that critical data is redacted before disclosing to third parties is an important GDPR compliance step and a risk factor that needs to be properly managed and mitigated. Redaction is an important step in due diligence, and can be extremely time-consuming, cumbersome and ripe for error. If redaction is integrated within a GDPR-compliant due diligence application, rather than by using an outside, third-party tool, then data breaches are minimized.

  • Buyer/Seller Q&A: Q&A between sellers and potential buyers during the due diligence process can be ripe for security breaches, as well as mistakes, if done by email and spreadsheet. Moreover, GDPR now requires a written record of processing, data protection impact assessments, record-keeping regarding breaches, and, under certain conditions, the appointment of a data protection officer (DPO). Therefore, AI-powered tools and analytics can be extremely helpful in ensuring compliance during this stage of the due diligence process.

Securing Success
As the law does not look like it is going to be repealed or become less stringent (as some hoped in the early stages), it is more important than ever to be aware of the law and its implications, and assess not only how GDPR-compliant your due diligence application or virtual data room supplier is, but also your own due diligence on the data being uploaded when involved in an M&A transaction. Only then can you feel confident that success has been secured.