Mergers and acquisitions

Why GDPR could put a spanner in the works… There are two sides to this…

Firstly, if your company is looking attract a buyer, or investors in the near future, then it is likely your preparations for GDPR – and your ability to demonstrate these preparations – will be key to the success of this.  In a post-GDPR world, many would-be investors or buyers deem non-GDPR compliant business too much of a risk.

Secondly, if you are looking to buy, or invest in a business, then you have a responsibility to conduct the appropriate due diligence and ensure the business you hope to become involved with is able to prove they have an active, on-going privacy programme.  Can they demonstrate the final key principle of the GDPR – accountability of their obligations as a data controller?

Significant “intention to fine” notices totalling £282 million have already been issued by the UK ICO for this – if you can’t demonstrate due diligence, you could also be under investigation.

Whichever side you fall into, our specialist privacy team can help by either addressing key areas in your business that COULD delay your investment or buy-out plans, OR, give you the reassurance to proceed with your plans, safe in the knowledge that the privacy programme has been independently evaluated and approved as being robust and on-track.

Call the team today and we can immediately schedule your engagement – in most cases, such is the size and flexibility of our specialist privacy consultant network, we can begin work the same week.

Attracting a buyer / investor

If you are looking to attract a buyer, or an investor for your business, privacy is now a key factor in any due diligence that is carried out on your business - and a robust, sustainable privacy programme is essential to kick-start corporate transactions.  Simply claiming you are GDPR-compliant is not good enough – ultimately, it is likely to be untrue and will immediately raise suspicions with most third parties.

In our experience, over the last 12 months, an increasing number of would-be buyers or investors have outsourced this privacy due diligence to expert data protection consultants who are able to uncover and identify potential gaps in data protection frameworks (gaps the untrained eye wouldn’t spot) – some of which may reveal potential privacy risks, or in extreme cases, actual data breaches which are deemed reportable to the ICO and, by default, trigger a full privacy investigation. 

These risks could force the interested party to withdraw entirely, therefore setting you back to square one. Not only are you searching for new financial interest but also addressing serious key privacy issues – which could take months to address.

With this in mind, ahead of speaking to potential third parties, Privacy Helper will work closely with your business and conduct an independent GAP analysis. If a GAP analysis has already been conducted, then we will review this documentation, however it may be necessary to conduct a fresh review of certain areas based on any remediation you have done since.

Our GAP analysis process and follow-up report will immediately identify any areas that could be cause for concern with the third parties – and our team will create a project plan to address any areas for remediation.

In many cases, remediation work will need to be underway with specific tasks completed, thus making your commitment to privacy demonstrable to third parties ahead of engaging formally in talks.

Our data protection specialists will also provide regular updates to any parties (internal or external) confirming what progress is being made and giving them the confidence that the business is committed to protecting the privacy of the individuals whose personal data you collect and process. 

Speak to us today to be sure your business has a privacy programme you be proud of and one that potential third party investors will be impressed by – with our help, your commitment to data protection become a huge selling point and make your business highly desirable over other companies that have failed to address these crucial issues.

Considering investing, or buying a business?

In the pre-GDPR days, buyers and investors would conduct the necessary due diligence on an organisation. Evidence of data governance and data protection frameworks weren’t a priority.

Compliance with data protection legislation is now a key consideration ahead of investing in an outside organisation – and the ICO have already demonstrated this, much to the frustration of Marriot Hotels…

In 2016, Marriot International bought Starwood Hotels, creating the largest hotel chain in the world. Unfortunately, their due diligence during the buying process was poor and they failed to spot a major data breach within Starwood which affected around 339 million guests. The breach, which dated back to 2014, was only discovered in 2018.

Following an investigation, the ICO issued an “intention to fine” notice of £99m – only the second proposed enforcement under the GDPR – and significantly larger than the £500,000 maximum fine under the previous Data Protection Act 1998.  When they announced the intention to fine, the ICO observed that Marriot had failed to properly review Starwood’s data protection practices and should have done more to secure its systems.

How does this affect you?

As a third party buying into an existing company, YOU will be responsible for the personal data the business holds – this includes carrying out a proper and detailed due diligence when making a corporate acquisition.

Clients who engage with our team of privacy specialists, can be confident that our due diligence work is meticulously detailed – we leave no stone unturned in our search for any processes or systems that may suggest a compromise of the GDPR and where there is an undue risk to personal data held by the company.

Our team will:

Conduct a full and detailed review of all 3rd party supplier contracts - In the event of a data breach, it is vital the data controller vs data processor relationships are protected by contract. Many companies simply engage with their usual business lawyers for this, however they don’t have the required understanding of data protection legislation, so this creates a risk.

Conduct a full and detailed review of all IT systems and processes - To prevent a repeat of the Marriot breach, our IT privacy specialists will ensure all databases are afforded the appropriate levels of protection and there are no suspicious activities around these.

Pen-Testing - Our online specialist will conduct pen-tests to demonstrate there are no online weaknesses within the business that could put you at risk of hackers.

Records Management / Article 30 - Our records management experts will check there are appropriate filing systems in place for personal data within the business – and all policies reflect the legal basis of all records… they are not just meaningless documents, written once and then forgotten about.

Marketing - If the business conducts outbound marketing, does this satisfy the marketing legislation (Privacy & Electronic Communication Regulation, 2003)? If the business is found to be in breach of this, then the ICO have the power to fine the specific business owner £500,000.

Off the back of this due diligence, we will submit a detailed report on our findings and our recommendations as to remediation in line with the GDPR.

Engaging with PRIVACYHELPER could be your best investment

Our privacy experts are professionals and our report will be our detailed, independent view intended to highlight the risks associated to YOU if you invested in the specific organisation – this will enable you to make the appropriate decisions based on our findings.

Based on the size of the fine the ICO intend to impose on Marriot Hotels, this independent due diligence could be the most worthwhile exercise you conduct – don’t commit to any investment before you truly understand the risk.

Call our team now – a ten-minute telephone call can usually give you an indication of how robust their privacy programme is – and if your investment will be costly in the long-run, or a sound business decision.

Remember – we understand the sensitive nature of your business investment plans – and for us, discretion is key. We have worked with many household names and respect the confidentiality of every single client.  We never enter into discussions or formal engagements with clients without first signing a Non-Disclosure Agreement with the involved parties.