Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other individuals. This puts you in the General Data Protection Regulation spotlight, so here are three things to bear in mind.
Personal data due diligence
Due diligence gives you a clear picture of the organisation you are acquiring or merging with, and assessing their personal data is now a crucial aspect. You need to identify the full scope of what they hold, and whether consent to hold the information has been obtained from each individual. If not, it will be necessary to have another legal basis for processing the personal data.
If due diligence exposes consent gaps, filling them becomes a priority. But if you are acquiring an organisation rather than merging with it, you need to reconfirm consent where appropriate. That’s because the change in ownership makes you the new ‘data controller’. Remember that consent must now be freely and unambiguously given. That means writing to each individual and asking them for permission to hold and process their data in the absence of having any other legal basis to process the data.
When undertaking due diligence, get assurances that the organisation you are acquiring or merging with hasn’t suffered any data breaches that they know of. You also want to know the details of any successful cyberattacks or information mishandling incidents that could have led to a data breach. With the threat of greatly increased fines under GDPR, you need to be extremely careful about the ‘privacy risk’ you are taking on.
SA Law has extensive resources to help you meet the requirements of the General Data Protection Regulation. Click here to learn more about them.