We’ve all been there. That awkward moment when you witness two businesses flirting, they exchange details, and suddenly they start over-sharing personal data - it all feels a bit privacy invasive. You feel like saying “get a (data) room, you guys...”
In fact, this article is not a call to use a virtual data room (or "deal room") when sharing information, including personal information about a target business’ staff, customers, etc. Instead, we set out some basics from a data protection perspective when sharing information in an M&A context.
Our tips for complying with GDPR requirements in the context of a corporate transaction include:
- Contracts, including terms of access.Ensure that contractually binding terms of access are in place with anyone who will enter the data room, which include – as a minimum – confidentiality obligations (applicable to all information, not just personal data) and a clear description of the purposes for which the information in the data room may be used. Where data processors (eg a third party data room host, or another service provider to the transaction) are involved, the GDPR requires that there be a contract in place between a data controller (eg the target company and each bidder/ buyer) and a data processor which is processing personal data on behalf of that data controller.
- Redacting unnecessary data. Ask yourself whether the information is really necessary to include in the data room; or would it be ‘over-sharing’ to include it? Take steps to redact any non-essential (and any inaccurate or out-of-date) information, particularly sensitive personal data eg health data of employees –unless there is a clear lawful base and an objective justification for including it (and where sensitive personal data are concerned, probably check with a lawyer).
- Information security. The GDPR requires that all “appropriate technical and organisational measures” should be taken to ensure the safekeeping of personal data. Technical measures could include encryption and pseudonymisation of personal data – and organisational measures could include limiting access to just a few people from each party/service provider to the transaction on a ‘need to know’ basis. At the very least, please avoid sending large volumes of unencrypted or otherwise unprotected files by email, unless your email servers are specifically set up to encrypt their contents while in transit over the internet.
If you require further information about anything covered in this briefing note, please contact Alan Baker, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2019