GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other individuals. This puts you in the General Data Protection Regulation spotlight, so here are three things to bear in mind.

Personal data due diligence

Due diligence gives you a clear picture of the organisation you are acquiring or merging with, and assessing their personal data is now a crucial aspect. You need to identify the full scope of what they hold, and whether consent to hold the information has been obtained from each individual. If not, it will be necessary to have another legal basis for processing the personal data.

Unambiguous consent

If due diligence exposes consent gaps, filling them becomes a priority. But if you are acquiring an organisation rather than merging with it, you need to reconfirm consent where appropriate. That’s because the change in ownership makes you the new ‘data controller’. Remember that consent must now be freely and unambiguously given. That means writing to each individual and asking them for permission to hold and process their data in the absence of having any other legal basis to process the data.

Data breaches

When undertaking due diligence, get assurances that the organisation you are acquiring or merging with hasn’t suffered any data breaches that they know of. You also want to know the details of any successful cyberattacks or information mishandling incidents that could have led to a data breach. With the threat of greatly increased fines under GDPR, you need to be extremely careful about the ‘privacy risk’ you are taking on.

SA Law has extensive resources to help you meet the requirements of the General Data Protection Regulation. Click here to learn more about them. 

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law or Data Protection matter, please do not hesitate to contact Chris Cook on 01727 798089.

Read our latest views & insight about the GDPR
SA Law Red arrow neon light image
Views & Insights
Data Protection and workplace coronavirus testing

Managing the data protection challenges of workplace coronavirus testing

Read More
GDPR Numbers Image SA Law
Views & Insights
EU-US Privacy Shield declared invalid

The European Court of Justice (ECJ) invalidated the EU-US Privacy Shield as an appropriate mechanism to meet the GDPR’s cross-border personal data transfer…

Read More
GDPR Numbers Image SA Law
Views & Insights
A new age: working from home and GDPR

What GDPR issues may arise from working from home and what you should do to reduce risk and stay compliant.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and the coronavirus pandemic

Good news: The ICO provides clarity on common areas of data concerns during the unprecedented coronavirus pandemic.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR one year on: make sure your small business is compliant

Chris Cook shares vital tips for SMEs who haven't done anything to abide by GDPR, and how they can start going about compliance.

Read More
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More

© SA LAW 2020

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.