don’t let GDPR ruin your exit plans when selling a business
When selling your business or seeking investment there are many considerations for a business owner, but from 25 May 2018 you can add GDPR to that list.
Whilst all business owners will have without doubt heard the horror stories of GDPR and its potential for unprecedented fines, what is not really being discussed, is the longer-term impact of GDPR on business owners and their exit plans.
As part of any sale or investment documentation, you can expect a series of warranties (promises) that you must make to the purchaser/investor about the state of your business. These warranties are designed to enable the investor/purchaser to be able to bring a claim more easily, in key risk areas, and avoid taking on liability for retrospective mistakes.
These warranties are usually made by the seller/founder personally so should be taken very seriously. From 25 May 2018 we expect to see warranties and indemnities being sought on acompany’s GDPR complianceby both purchasers and investors alike.
We also expect to see specific and enhanced due diligence being conducted by purchasers and investors in respect of GDPR compliance. This is likely to involve an extensive review of all third parties who process any of your data, an audit of all your policies and documented consents, a forensic examination of your internal systems/security and a review of any breaches (however minor) and how you have dealt with them. So even if you have ill-advisedly ignored GDPR, any potential purchaser or investor will not.
Why is this?
In short because there is a much greater level of risk to the purchaser/investor after 25 May 2018, regarding the fines it could become liable for.
GDPR enables data subjects to bring a civil claim against a company and regulatory action can be taken against the company if you breach GDPR. Another potential avenue of litigation has been created by GDPR, of which almost all companies are vulnerable. A claim or even regulatory action may not surface for some time after a purchase or investment. This is not an ideal scenario for those purchasing a company or looking to invest in one.
With a very real and shifting legal landscape in respect of data protection generally and a heightened awareness in data subjects of their rights, we generally expect to see an increase in action being taken against companies in respect of their handling of data. This is not a legacy a purchaser or investor is going to happily want to accept.
GDPR is an especially serious concern for any large company looking to purchase a company, since any potential fine would be calculated on their worldwide group turnover. You can see why they may be nervous.
Karen Holden is an award-winning solicitor and founder of A City Law Firm (ACLF), the go-to lawyers for entrepreneurs, startups, scale-ups, those seeking investment. In addition to being very successful lawyers for businesses , ICOs and family law, ACLF are now the UK's leading LGBT law firm and surrogacy specialists. Karen is a regular media commentator, panellist and event speaker.
Once a data breach has been detected, you only have 72 hours to inform regulatory authorities, and they're going to want to know all the who, what, when and where? details about the exposed data. These five steps can help you respond to a breach and avoid a GDPR fine. more»
With business owners across Britain preoccupied with GDPR compliance ahead of next month's introduction, its forgotten sibling the so-called cookie law? could dramatically change the way brands communicate with consumers and collect data. more»