When selling your business or seeking investment there are many considerations for a business owner, but from 25 May 2018 you can add GDPR to that list.
Whilst all business owners will have without doubt heard the horror stories of GDPR and its potential for unprecedented fines, what is not really being discussed, is the longer-term impact of GDPR on business owners and their exit plans.
As part of any sale or investment documentation, you can expect a series of warranties (promises) that you must make to the purchaser/investor about the state of your business. These warranties are designed to enable the investor/purchaser to be able to bring a claim more easily, in key risk areas, and avoid taking on liability for retrospective mistakes.
These warranties are usually made by the seller/founder personally so should be taken very seriously. From 25 May 2018 we expect to see warranties and indemnities being sought on a company’s GDPR compliance by both purchasers and investors alike.
We also expect to see specific and enhanced due diligence being conducted by purchasers and investors in respect of GDPR compliance. This is likely to involve an extensive review of all third parties who process any of your data, an audit of all your policies and documented consents, a forensic examination of your internal systems/security and a review of any breaches (however minor) and how you have dealt with them. So even if you have ill-advisedly ignored GDPR, any potential purchaser or investor will not.
Why is this?
In short because there is a much greater level of risk to the purchaser/investor after 25 May 2018, regarding the fines it could become liable for.
GDPR enables data subjects to bring a civil claim against a company and regulatory action can be taken against the company if you breach GDPR. Another potential avenue of litigation has been created by GDPR, of which almost all companies are vulnerable. A claim or even regulatory action may not surface for some time after a purchase or investment. This is not an ideal scenario for those purchasing a company or looking to invest in one.
With a very real and shifting legal landscape in respect of data protection generally and a heightened awareness in data subjects of their rights, we generally expect to see an increase in action being taken against companies in respect of their handling of data. This is not a legacy a purchaser or investor is going to happily want to accept.
GDPR is an especially serious concern for any large company looking to purchase a company, since any potential fine would be calculated on their worldwide group turnover. You can see why they may be nervous.
What can I do about this?
Whilst you may not be able to prevent a request for GDPR indemnities and warranties what you can do, is put in place effective GDPR processes and procedures now to identify, address and minimise any deficiencies before a potential purchaser or investor is on the horizon. The more transparent, process driven and forward thinking you appear the less concerned the purchaser or investor will be.
You should consider whether it is beneficial to hire a specialist Data Protection Officer to deal with overseeing your compliance, we have seen companies offering outsourced services for affordable rates.
You should ensure that as a minimum you map out your GDPR data – so you know what data you are collecting, that you have a lawful purpose for holding that data, that you can comply with any requests for this data to be deleted, you can comply with the rights of data portability and that you and any third party can deal with and report any breaches within the timeframes.
This should all be contained in internal processes, online privacy statements, staff policies and contracts, confirmed in third party contracts, evidenced and mapped out clearly. This is your first line of defence from an ICO inspection, reported breach and this a selling feature for your purchaser/investor.
Karen Holden is an award-winning solicitor and founder of A City Law Firm
Sign up to our newsletter to get the latest from Business Advice.