When you’re building a new business, you evaluate your assets and liabilities to help you create a business model. Most new business owners don’t realise that one of their biggest assets is personal data. The data a business collects on customers, employees, suppliers, and other stakeholders are valuable. As a business owner, you should work to protect this data not only because it’s a business asset, but also because you are required to do so according to data protection regulations.
During a merger or acquisition, dealing with personal data can be complex. When you are building a new business, you have four important questions to ask concerning data protection:
- Does the previous owner have the right to transfer personal data to you?
- Do you have the right to use the data once it’s transferred?
- What are the potential liabilities concerning personal data when buying a business?
- How are you protecting personal data during the transaction process?
Asking and answering these questions will help you better understand how to handle personal data when you’re purchasing a new business from someone else.
Does the Previous Owner Have the Right to Transfer Personal Data to You?
In the past, businesses assumed that they could use personal data they collected in almost any manner they chose. They could profit from it and use it for marketing efforts. However, since the GDPR took effect in 2018, understanding about personal data has changed. Data subjects remain the owners of their own data, and businesses are restricted in how they can use it.
One of these restrictions is on how businesses transfer personal data. They cannot transfer this data however they choose and must have a lawful basis for doing so. When you’re buying a business, you need to ask if the current owner has the right to give you the data they’ve collected.
In some circumstances, a business owner won’t be able to hand over data to a new owner. These situations include:
- When the previous owner’s privacy policies do not allow for the sale of the business or change of ownership
- If data subjects have provided their consent to data collection but not to data transfer
- When the seller is processing data on behalf of a third party and the data-sharing agreements in place do not allow for a change of ownership or control
The previous owner’s privacy policy may no longer be applicable when you purchase a business and the data may not be transferable. In this case, you wouldn’t be able to access the data the business has previously collected and processed.
Do You Have the Right to Use the Data Once It’s Transferred?
Even if the data can be transferred to you, keep in mind that you still might not be able to use it. You must understand your rights to utilise it and any restrictions that come with using the data. Consider if you will use the personal data for the same purpose as the previous owner. If not, you’ll have to find an appropriate lawful basis for processing the data.
Also, if consent is the lawful basis for data processing, then that consent must be transferable. You may have to renew data subjects’ consent in this case. The previous owner may have to coordinate consent renewals before the acquisition transaction is complete if it’s not possible for you to contact the data subjects for renewal before the acquisition.
Additionally, consider who you will share the personal data with. You must have proper data sharing agreements in place if you will allow another entity to access this data. If you rely on the previous owner’s original data-sharing agreements, it’s possible to legally re-assign them if necessary.
What Are the Potential Liabilities Concerning Personal Data When Buying a Business?
Of course, when you purchase a business from a previous owner, you consider the liabilities. Personal data protection is no different, and comes with its own set of responsibilities that you, as the new business owner, must take on. To know what these responsibilities are, you must conduct a thorough audit of the previous owner’s compliance up until the transfer of the business.
When you do an audit to uncover liabilities related to personal data, it should ask:
- Has the data been catalogued and mapped accurately?
- Did the previous owner keep their Records of Processing Activities complete and up to date?
- Are the DPIAs complete for high-risk data sets?
- Are Legitimate Interest Assessments done if Legitimate Interest is the lawful basis?
- Did the previous business owner obtain the data fairly and lawfully?
- Did the previous business owner maintain comprehensive consent records?
- Have any other processors handled the data and done so appropriately?
- Did the business have any breaches?
- Are responses to individuals’ rights requests still outstanding?
- An audit will help you answer these questions and shed light on how to move forward.
How Are You Protecting Personal Data During the Transaction Process?
Considering data protection after the transfer is complete is important, but what about during the transaction itself? Think about how you, the seller, and your advisors will access the data, and what measures should be in place to stay compliant.
Specifically, you might use non-disclosure agreements that have sufficient data protection clauses. In addition, you can sign data-sharing agreements with all the parties involved in the transaction. Pay special attention to the data room as well, by ensuring it’s secure and that only authorised persons can access it.
You may need to update privacy policies to state that the data can be shared for the acquisition or purchase process, and include data protection provisions in the purchase and sale agreement.
Make Data Protection a Key Consideration When Building a Business
Many new companies don’t pay enough attention to their data protection measures because data volumes and the technical complexity of processing it can seem overwhelming. If you need assistance with processing personal data, you can always appoint an outsourced data protection officer who specialises in helping you become compliant.
It’s essential to get data protection right not only to remain compliant with data protection authorities but also to add significant value to your new business. If you ask yourself these four questions, you’re off to a good start.