July 02, 2019

Happy Birthday, GDPR!

By Suzy Bibko, EMEA Content Marketing Manager, Merrill Corporation

It’s now been one year since the EU’s General Data Protection Regulation (GDPR) came into force. What have we learned? Well, quite a bit as it turns out.

Keep Groaning
First, the groans (and the cheers) surrounding the law appear to have been justified. According to our own survey of EMEA M&A practitioners (Due Diligence 2022), over half of respondents (55%) believe that transactions did not progress because of concerns around a target company’s data/privacy protections and compliance with GDPR. And 66% believe that GDPR would increase acquirers’ scrutiny of the data protection policies and processes of target companies, further complicating the deal-making process. Not great news for deal makers; but on the flip-side, this demonstrates an increased focus on data protection and adherence to the new law.

Unto the Breach, Once More
Second, the law is being enforced, or will be enforced, and companies are paying attention as mentioned above. Although some believe the number and level of fines issued is low, data protection agencies have issued fines totalling EUR56 million for GDPR breaches (May 2019) since the law was enacted, with EUR50 million fined to Google by France’s CNIL and the remainder made up of various amounts to mostly smaller companies. Watchdogs say this is just a start, and it is technically still early days, with regulators focused on the most high-profile and serious breaches for now.

Moreover, the European Data Protection Board (EDPB) has said that over 200,000 cases were reported in the first nine months of enactment, with around 65,000 initiated due to a data breach reported by a data controller and 95,000 as complaints. And it has been estimated that about 400 data breaches are now being reported each month and are expected to reach 36,000 this year, up from 18,000 previously – a 100% increase.
(EDPB LIBE Report on the Implementation of GDPR, EDPB, February 2, 2019; Year 1 of GDPR, The Register, March 14, 2019).

“It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace...[W]e want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.” Andrea Jelinek, Chair of the EDPB (1 year GDPR - taking stock, EDPB, May 22, 2019)

Coordinated Cooperation
Third, going forward, there is concern that class action-style litigation could increase on the back of large data breaches. Moreover, as there is no one agency overseeing all GDPR compliance, there is potential for massive discrepancy in fines, and interpretation of and adherence to the law. However, there is recognition between agencies that it is in their best interest to coordinate compliance. Year two should prove interesting as these issues are worked out.

M&A Considerations
In terms of M&A, GDPR is proving that certain issues should be considered as early as possible in the lifecycle of the deal. Key areas include:

Securing Success
As the law does not look like it is going to be repealed or become less stringent (as some hoped in the early stages), it is more important than ever to be aware of the law and its implications, and assess not only how GDPR-compliant your due diligence application or virtual data room supplier is, but also your own due diligence on the data being uploaded when involved in an M&A transaction. Only then can you feel confident that success has been secured.

Ready to Get Started?

Here are some other items you might be interested in:

From the Bullpen to the Boardroom: Insights from CEOs

As many professionals can attest, investment banking is a feeder job for other highly successful and ambitious career moves. However, the transition to get there is not always so clear, especially for aspiring entrepreneurs. Our expert panel of CEO's broke down the challenges for our audience and offered several great takeaways for those who want to be CEO one day.

Colleagues Discussing Business in Conference Room
Expert Spotlight: Japan Deal Momentum

Japan dealmakers are seeing a strong rebound in M&A following the initial impact of COVID- 19 with the current momentum backed by an uptick in corporate divestitures, low-cost financing, and activism among others, according to industry experts speaking at a recent webinar hosted by Datasite and Mergermarket. Learn more from this expert spotlight blog.

Tokyo Japan Skyline
Market Spotlight: Restructuring in the Middle East

How is M&A faring in the Middle East? Is distressed market activity on the rise, as it is in other regions? And how can deals get done quickly? One thing seems fairly certain: there’s definitely more to come in the region.