The Introduction of GDPR and the new Data Protection Act 2018 has already been the subject of many an article and discussion.
Without a doubt, the wide ranging definition of what constitutes personal data is extremely broad, catching “…any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. This isn’t just about names; whether or not the data “identifies” is wide ranging; The GDPR sets out a non-exclusive list and guidance from the ICO makes it clear that data could still be “identifiable” even if additional information is needed to be able to identify a data subject.
It is clear that partial pseudofiction is unlikely to be sufficient therefore when making available data to a prospective seller. This will therefore pose particular issues for any sales or transfers of certain databases at due diligence stage.
In addition, The GDPR requires a data processor to have a lawful basis on which to process personal data. It will be important for any seller, at the due diligence stage, to be very clear on what basis the data concerned is being processed and if relying on consent, whether that consent extends to the processing of data for the purposes of disposing of assets and undertakings. It may be that in the sale of a business comprising “live contracts” ie agreements where performance of contractual obligations remaIn, that one could rely on the grounds of necessity or possibly legitimate interest.
It may well be possible to obtain that consent when dealing with personal data involving employees or other stakeholders in the business, but where that data extends to those outside the business, this could be problematic and delay any prospective transaction. This needs to be checked and verified well in advance of any prospective sale – especially as any buyer is likely to insist on indemnification in the sale agreement in respect of this.
In addition and dependant on the business sector of any target, regard will need to be had to the Network and Information Systems Regulations 2018 which also came into force in May – commonly referred to as the Cyber Security Regulation which requires “Operators of Essential Services” and “Relevant Digital Service Providers” to have appropriate cyber security measures in place. There will be a greater need for bespoke commercial due diligence here and careful thought to bespoke warranties and proportionate indemnities.