GDPR affects your mergers & acquisitions too

Mon 23rd Apr 2018

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other individuals. This puts you in the General Data Protection Regulation spotlight, so here are three things to bear in mind.

Personal data due diligence

Due diligence gives you a clear picture of the organisation you are acquiring or merging with, and assessing their personal data is now a crucial aspect. You need to identify the full scope of what they hold, and whether consent to hold the information has been obtained from each individual. If not, it will be necessary to have another legal basis for processing the personal data.

Unambiguous consent

If due diligence exposes consent gaps, filling them becomes a priority. But if you are acquiring an organisation rather than merging with it, you need to reconfirm consent where appropriate. That’s because the change in ownership makes you the new ‘data controller’. Remember that consent must now be freely and unambiguously given. That means writing to each individual and asking them for permission to hold and process their data in the absence of having any other legal basis to process the data.

Data breaches

When undertaking due diligence, get assurances that the organisation you are acquiring or merging with hasn’t suffered any data breaches that they know of. You also want to know the details of any successful cyberattacks or information mishandling incidents that could have led to a data breach. With the threat of greatly increased fines under GDPR, you need to be extremely careful about the ‘privacy risk’ you are taking on.

SA Law has extensive resources to help you meet the requirements of the General Data Protection Regulation. Click here to learn more about them. 


If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798098.

Read our latest views & insight about the GDPR

© SA LAW 2024

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.