By Suzy Bibko, EMEA Content Marketing Manager, Merrill Corporation
It’s now been one year since the EU’s General Data Protection Regulation (GDPR) came into force. What have we learned? Well, quite a bit as it turns out.
First, the groans (and the cheers) surrounding the law appear to have been justified. According to our own survey of EMEA M&A practitioners (Due Diligence 2022), over half of respondents (55%) believe that transactions did not progress because of concerns around a target company’s data/privacy protections and compliance with GDPR. And 66% believe that GDPR would increase acquirers’ scrutiny of the data protection policies and processes of target companies, further complicating the deal-making process. Not great news for deal makers; but on the flip-side, this demonstrates an increased focus on data protection and adherence to the new law.
Unto the Breach, Once More
Second, the law is being enforced, or will be enforced, and companies are paying attention as mentioned above. Although some believe the number and level of fines issued is low, data protection agencies have issued fines totalling EUR56 million for GDPR breaches (May 2019) since the law was enacted, with EUR50 million fined to Google by France’s CNIL and the remainder made up of various amounts to mostly smaller companies. Watchdogs say this is just a start, and it is technically still early days, with regulators focused on the most high-profile and serious breaches for now.
Moreover, the European Data Protection Board (EDPB) has said that over 200,000 cases were reported in the first nine months of enactment, with around 65,000 initiated due to a data breach reported by a data controller and 95,000 as complaints. And it has been estimated that about 400 data breaches are now being reported each month and are expected to reach 36,000 this year, up from 18,000 previously – a 100% increase.
(EDPB LIBE Report on the Implementation of GDPR, EDPB, February 2, 2019; Year 1 of GDPR, The Register, March 14, 2019).
Third, going forward, there is concern that class action-style litigation could increase on the back of large data breaches. Moreover, as there is no one agency overseeing all GDPR compliance, there is potential for massive discrepancy in fines, and interpretation of and adherence to the law. However, there is recognition between agencies that it is in their best interest to coordinate compliance. Year two should prove interesting as these issues are worked out.
In terms of M&A, GDPR is proving that certain issues should be considered as early as possible in the lifecycle of the deal. Key areas include:
As the law does not look like it is going to be repealed or become less stringent (as some hoped in the early stages), it is more important than ever to be aware of the law and its implications, and assess not only how GDPR-compliant your due diligence application or virtual data room supplier is, but also your own due diligence on the data being uploaded when involved in an M&A transaction. Only then can you feel confident that success has been secured.