Data with Destiny: How GDPR is Changing M&A

By Suzy Bibko, Content Marketing Manager, EMEA

It’s been three years since the EU introduced the General Data Protection Regulation (GDPR) and, despite solid M&A figures during the pandemic, European dealmakers face mounting anxiety around data.

No sensible dealmaker would pursue a transaction that could potentially expose them to regulatory fines of up to 4% of their global turnover, as well as significant reputational damage. And yet three years after the EU’s GDPR came into force, such fears are increasingly front and center during M&A processes – particularly against the backdrop of increased deal activity in the data-centric technology industry.

Inevitably, overall M&A activity has been impacted by the pandemic. Mergermarket data reveals there were 6,472 deals worth US$803bn involving Western European targets during 2020; this is slightly up on 2019 figures of 7,343 deals worth US$748bn, but below the 2018 high of 7,480 deals worth US$918bn.

The less pandemic-exposed TMT sector, however, has bucked the trend. Deal values in the sector rose sharply last year to US$266bn, compared to US$109bn and US$194bn in 2019 and 2018, respectively. Moreover, deal volumes have risen in each of the past three years.

Hot data
The value of data underpins many of these transactions, with valuations often driven by the technology sector’s endeavors to leverage its data for business insight and commercial advantage. In this context, GDPR has become a crucial issue in the deal process. Acquirers are concerned on two fronts: how they might become responsible for historical breaches of the regulation at target companies; and how GDPR might prevent them capitalizing on the full value of the target.

Such fears are very real. In our recent survey of global dealmakers, 55% of respondents said they had been involved with M&A transactions that had stalled because of concerns around the target’s data protection practices and its compliance with GDPR.

That number reflects the broad scope and significance of GDPR. The regulation came into effect in May 2018, as the EU sought to force organizations to strengthen their data protection policies and processes. Fines of up to 4% of annual global turnover or €20m – whichever is greater – await any organization that infringes its requirements. Breaches also expose businesses to public scrutiny and opprobrium.

For this reason, GDPR compliance has become a high-priority issue for almost every business pursuing M&A. The GDPR’s provisions apply to any organization that collects or handles personal data, and that brings almost every potential target within its scope.

Due data
GDPR, therefore, has to be a key focus of due diligence work. Acquirers worry that they may become responsible for data protection breaches at the target, or even that they may have to pick up the costs of breaches that occurred before the transaction completed, but which did not come to light until later on.

This risk is far from theoretical. In the UK, for example, the Information Commissioner’s Office last year fined the hotel group Marriott £18.4m after it emerged that a customer database had been compromised in 2014. Marriott had acquired the database in question when buying rival hotels company Starwood in 2016. At June 2021, total fines reached €285m, with Italy having the highest value of fines (€76m) and Spain having the largest number of fines (237), with ‘insufficient legal basis for data processing’ the reason for most fines.

Identifying such breaches may not be straightforward for acquirers, but a robust evaluation of the target’s data protection policies and practices can at least provide some reassurance about whether the organization has taken its responsibilities seriously. Inevitably, however, such work is time-consuming, adds to the due diligence workload, and can extend the deal timelines.

Acquirers may also seek to protect themselves from issues that emerge post-deal completion. M&A agreements increasingly include comprehensive representations and warranties related to data privacy and protection.

Sell by data
Many sellers will want to anticipate these issues, particularly where businesses are being managed with an acquisition process in mind. At the very least, organizations need to be aware of their strengths – and any potential weaknesses – when it comes to GDPR compliance and broader data privacy issues. The ability to point to a clear and consistent approach to data protection will increase the credibility of a target with potential acquirers.

One important part of that is how organizations manage their third-party agreements with suppliers and service vendors. These often expose organizations to additional data protection risk. Indeed, third parties have become a favored route for cyber attackers – but the detail of such vulnerabilities may not be immediately apparent to an acquirer.

Another question is the extent to which the buyer is focused on the data of the target as part of its deal strategy. In many cases, the target’s information assets may account for a significant portion of its valuation, but it may not always be possible for a buyer to acquire all of this data. This is because GDPR requires organizations to think hard about what data they store and retain, with an emphasis on deleting any data that is no longer needed for justifiable reasons.

Sellers that have not spent time on data retention policies and practices may find they are not entitled to pass legacy data to an acquirer, reducing their value if this has been something that the buyer was banking on. Buyers will be expected to establish the purposes for which any data they want to acquire was originally obtained; these purposes may no longer be valid following the deal.

Delivery data
The stakes are high – and set to get higher. As long ago as 2017, the US telecoms giant Verizon secured a US$350m discount on its purchase of Yahoo when it emerged that the internet company had suffered a series of data breaches. Since then, research from Forescout Technologies has found that 73% of companies would regard an undisclosed data breach as a deal-breaker during M&A; 65% said they had come to regret a completed deal amid cybersecurity concerns.

Those numbers may soon rise higher, with policymakers determined to further strengthen data protection regulation. Viviane Reding, the Luxembourgish politician who managed the passage of the original GDPR, is already talking about an overhaul of the regulation. In particular, she wants to see a renewed focus on tougher enforcement – perhaps through a centralized body rather than the current system of national regulators.

If that’s the case, GDPR could become an even more important issue for dealmakers. For many businesses, data protection issues may come to represent a make or break for the transactions. Choosing a GDPR-compliant virtual data room to manage your due diligence project is imperative to maximize compliance and minimize GDPR risks and breaches. Use our checklist to make sure your provider isn’t putting you and your data at risk.