The importance of asking the right data privacy questions in M&A due diligence

May 19, 2022 | Case Study

The importance of asking the right data privacy questions in M&A due diligence

Tim Hickman, Partner London

White & Case is an international law firm based in New York City. Founded in 1901, it serves companies, governments, and financial institutions from 44 offices around the world.

The fintech industry has exploded over the last decade. Start-ups such as Worldline and Worldpay have grown into industry leaders and become involved in multi-billion dollar deals, driving M&A activity in the sector globally and in Europe.

In February this year, for example, payments company Worldline announced a bid for Ingenico, a point-of-sale terminal provider that controls 37% of the market globally, in a deal worth $8.6bn.

While this increase in M&A activity in the fintech and payments sector has been striking, it has also been notable for highlighting the issue of data privacy protection in dealmaking. “In the payments sector due diligence can sometimes necessitate the review of merchant or end-user contracts,” says Hyder Jumabhoy, partner in the corporate M&A group at White & Case in London. “Where this is the case, data privacy concerns must be carefully assessed and navigated.”

Digitization a new dimension

The EU’s General Data Protection Regulation (GDPR) brought this issue to the fore in 2018, resulting in a significant change in how companies store and use personal data.

While GDPR was not intended to impact M&A, it has, and continues to, says Tim Hickman, partner at White & Case. “Ten years ago, a company looking to acquire a high street retailer didn’t need to know much about the retailer’s data. But now, when buying a retailer, a major part of the value of the business is the relationship with (and data about) the customers. A key question that any bidder should ask is ‘can I use the data lawfully’?”

Any M&A professional involved in a deal process will need to call on data privacy expertise. Virtual data rooms have been a mainstay of European M&A activity for the last decade, but the increasing digitization of the corporate world had added an important new dimension to the due diligence process.

Machine learning’s learnings

The introduction of GDPR means that from the start of any M&A process, the selling company must understand what it can lawfully disclose before placing documents in the virtual dataroom. “Some physical data rooms may attract lower compliance obligations, but everything digital is potentially in scope,” says Hickman. “The seller must implement appropriate data protection rules to ensure nothing is being unlawfully disclosed.”

For example, in order to understand the scale of pension liabilities, an acquirer may need to access to information about the target company’s employees. To comply with GDPR, the individual names may need to be redacted or aggregated. “There is a cost associated with that review, but it is less costly than dealing with claims from disgruntled employees, and possible regulatory investigations,” says Hickman.

Interestingly, he adds that GDPR also has implications for the automation of the M&A process, particularly where law firms have adopted machine learning technology to speed up the due diligence process.

“Where a buyer uses AI tools in a due diligence process it’s important to remember that these tools are often not designed with compliance or GDPR in mind,” says Hickman.