Mergers & Acquisitions: Protecting the data
M&A activity across the Channel Islands has continued strongly over the past year, with banks and administration businesses continuing to be regarded as prime acquisition targets. Butterfield continues to invest in the region with its acquisitions of Deutsche Bank’s banking and custody business as well as recently agreeing to acquire ABN AMRO’s banking business in Guernsey. Similar consolidation has been seen with TMF agreeing to acquire State Street’s alternative investment services business this year, to add to the Gentoo fund services business it acquired in 2017.
A growing trend in all transactions has been an increasing focus on the implications of data protection throughout the sale process.
The implementation of the General Data Protection Regulation (2016/679/EU) (“GDPR”) and its Guernsey counterpart, The Data Protection (Bailiwick of Guernsey) Law, 2017 (“DPL”) has put data protection front and centre in M&A deals.
The overhaul of legislation has raised industry awareness of the issues, and the need for compliance, whilst the huge potential penalties for breaches of data protection law have also helped to focus minds.
A recent example is the case of Marriott International, Inc., and its acquisition of Starwood Hotels & Resorts in 2016 (pre-GDPR). In September 2018 Marriott determined that the Starwood business had been continually suffering database hacking as a result of which the personal data of 500 million guests had been compromised. The Marriott headquarters are in the USA, but some of the customers affected were nationals of the EU, meaning that the breach falls under GDPR. The hotel group faces significant financial penalties under GDPR and it is expected that this case will be one of the highest-profile prosecutions under GDPR to date.
Consequently:
- Sellers are preparing for a possible sale by reviewing their operational policies to ensure that the sale process will not breach data protection law when providing data to a potential purchaser;
- Purchasers are reviewing the target business’ historical data protection compliance with more scrutiny in their due diligence investigations; and
- Purchasers are considering post-acquisition integration steps and how these affect the holding and use of personal data.
Some practical pointers that both buyers and sellers should consider when engaging in M&A in Guernsey are as follows:
- In advance of any potential sale, sellers need to review and update their privacy notices and data protection policies (particularly in relation to their employee and customer data) to ensure that that they have the right to share personal data during the course of any future sale;
- Sellers should utilise virtual data rooms in disseminating information about their business to a prospective buyer. This will ensure that that access to personal data is only given to those who need it and ensure that those with access sign up to data room rules which will highlight and provide the legal basis for which the information is provided – such rules could be to complement confidentiality/data processing agreements, or could be in addition to them;
- Where possible, personal data should be anonymised before being placed into the data room. For example, instead of providing the contracts of employment of all employees, sellers could provide a template form of contract, and redact those contracts that are more personalised (for example, senior management contracts); and
- The parties need to ensure that transaction documents respect data protection requirements – e.g. the sale agreement should not include a schedule of employees but should instead refer to a schedule in the data room which can be viewed by those who need to see it.
An original version of this article was published in En Voyage, July 2019.
© Carey Olsen 2019.