New considerations for private equity firms in a post-GDPR world
Huw Beverley-Smith, a Partner in the Technology Transactions Group at the London office of Faegre Baker Daniels, examines the impact of GDPR on private equity firms…
The European Union’s new data protection regime, the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR strengthens the protection of personal data by imposing more rigorous operational requirements on organisations that collect, process, store and share personal data.
The GDPR also gives individuals new and enhanced rights over their personal data such as the right of access, right to be forgotten, and right to data portability. As has been well-publicised, the potential penalties for non-compliance are significant – up to the greater of Euro 20 million or 4 percent of worldwide annual turnover.
What are the GDPR’s impact and potential risks for private equity firms?
Private equity firms should therefore assess the implications of the GDPR both at the fund level (including in respect of the personal data of employees and individual investors) and the portfolio company level (in respect of the potentially wide ranging uses of personal data). Fines can be imposed on an “undertaking” - an economic unit, formed by the parent company and all involved subsidiaries.
Therefore there are risks that national regulatory authorities may treat funds and their portfolio companies as a single entity where one company exercises control or dominant influence over other entities. As a consequence, investment structures may need to be adjusted so that a private equity firm does not exert control over its portfolio companies. Additionally, privacy risks will move from the periphery and closer towards the core legal and commercial issues in investments and acquisitions.
Despite a two year lead-in period many organisations were relatively un-prepared when the GDPR came in to force. Many of the GDPR’s provisions and some of the regulatory guidance which has emerged to date leave room for interpretation. Partly due to time pressures, lack of internal management commitment (and budget) and the paucity of clear guidance, many businesses have made relatively superficial changes to customer facing policies and internal procedures and still have much work to do.
Increased importance on due diligence
Private equity firms should therefore ensure that GDPR compliance is on the agenda for the portfolio company’s management team and a key part of the evaluation of any potential new investment. This is not limited to companies in the technology sector, or companies which process large volumes of sensitive personal data, for example in the healthcare sector. Even businesses that fall outside of typically data-heavy sectors will have customer lists which will have been collected over time and may not necessarily have the necessary marketing consents or are being maintained securely. There will therefore be basic commercial and operational risks which assume a new importance given the potentially increased liabilities.
The due diligence process is therefore likely to be more intensive and time-consuming and should be started as early as possible in the deal process. In addition to obvious public-facing privacy policies, a target will need to have appropriate policies in place covering the personal data of its employees and much more detailed contracts with third party processors than has previously been the case. The principle of accountability underpins the GDPR’s provisions. Organisations must be able to demonstrate compliance to regulators which requires many more internal policies and procedures to be implemented. There will therefore need to be internal records of processing activities, data retention policies and procedures for responding to data subject right requests. This papering exercise takes some time and typically requires input from various parts of the business.
A further significant drain of resources is the process of assessing whether the appropriate technical and organisational measures are in place to comply with the GDPR, particularly in respect of the security of personal data. The potential vulnerabilities to data breaches will need to be identified and appropriate procedures for data breach notification and internal training implemented. Compliance gaps, including historical data breaches, should be identified as part of the due diligence process. Post- acquisition remedial plans and allocation of liability for their associated costs should be tabled early in the deal process. Warranties and indemnities are likely to be much more keenly negotiated, given the potential liabilities and understanding the technical and business fundamentals will be a critical part of this process.
In the post-GDPR world, private equity firms which take an informed approach to investment structures for portfolio acquisitions and employ robust compliance measures are likely to minimise the risks of regulatory enforcement action and the need for financial contingencies for data privacy risks. Those who do not may find themselves in the crosshairs of the new data protection regime and in protracted negotiations over the related risks.