GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other individuals. This puts you in the General Data Protection Regulation spotlight, so here are three things to bear in mind.

Personal data due diligence

Due diligence gives you a clear picture of the organisation you are acquiring or merging with, and assessing their personal data is now a crucial aspect. You need to identify the full scope of what they hold, and whether consent to hold the information has been obtained from each individual. If not, it will be necessary to have another legal basis for processing the personal data.

Unambiguous consent

If due diligence exposes consent gaps, filling them becomes a priority. But if you are acquiring an organisation rather than merging with it, you need to reconfirm consent where appropriate. That’s because the change in ownership makes you the new ‘data controller’. Remember that consent must now be freely and unambiguously given. That means writing to each individual and asking them for permission to hold and process their data in the absence of having any other legal basis to process the data.

Data breaches

When undertaking due diligence, get assurances that the organisation you are acquiring or merging with hasn’t suffered any data breaches that they know of. You also want to know the details of any successful cyberattacks or information mishandling incidents that could have led to a data breach. With the threat of greatly increased fines under GDPR, you need to be extremely careful about the ‘privacy risk’ you are taking on.

SA Law has extensive resources to help you meet the requirements of the General Data Protection Regulation. Click here to learn more about them. 

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.
Read our latest views & insight about the GDPR
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
Vital GDPR considerations when acquiring a company

Alasdair Bleakley talks to Acquisitions Daily about an important and difficult hurdle in corporate transactions: the GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: A five step guide to dealing with a data breach

Chris Cook shares a five step guide to dealing with a data breach including assessing risk & reporting.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.