It’s been three years since the EU introduced the General Data Protection Regulation (GDPR) and, despite clear warning signals sent by the national regulators regarding consumer protection, data privacy and data protection are far from being fully regulated. The significance of GDPR is really high and it should be taken seriously not only by the managers but also by dealmakers in any M&A process. The regulation came into effect in May 2018, as the EU sought to force organizations to strengthen their data protection policies and processes. Fines of up to 4% of annual global turnover or €20m – whichever is greater – await any organization that infringes its requirements. Breaches also expose businesses to public scrutiny and dishonour.
In Poland, M&A activity has been impacted by the pandemic in 2020 but as the Polish economy is being relaunched in 2021, we can see many investment decisions being taken, especially in less pandemic-exposed areas such as TMT sector, pharmaceutical sector or construction. GDPR compliance is becoming a crucial issue in the deal process as never before. Acquirers are concerned on two fronts:
(a) how they might become responsible for historical breaches of the regulation at target companies; and
(b) how GDPR might prevent them capitalizing on the full value of the target.
No sensible dealmaker would pursue a transaction that could potentially expose them to regulatory fines of up to 4% of their global turnover, as well as significant reputational damage. 
In the new post-pandemic reality, GDPR has to be a key focus of due diligence work for any law firm. Acquirers worry that they may become responsible for data protection breaches at the target, or even that they may have to pick up the costs of breaches that occurred before the transaction completed, but which did not come to light until later on. This is particularly important if the target company has direct dealings with consumers. In such cases, the risk of non-compliance is not only regulatory fine of up to 4% of the turnover but also individual claims of consumers. The legal fees of defending such claims could be enormous.
This risk is far from theoretical. In Poland, for example, the Data Protection Office last year fined Virgin Mobile PLN 2m after it emerged that an ‘insufficient legal basis for data processing’ has been implemented. This was the result of the leakage of personal data.
Identifying such breaches may not be straightforward for acquirers, but a robust evaluation of the target’s data protection policies and practices can at least provide some reassurance about whether the organization has taken its responsibilities seriously. Inevitably, however, such work is time-consuming, adds to the due diligence workload, and can extend the deal timelines.
Acquirers may also seek to protect themselves from issues that emerge post-deal completion. M&A agreements increasingly include comprehensive representations and warranties related to data privacy and protection.
The stakes are high – and set to get higher. The EU policymakers are determined to further strengthen data protection regulation. The EU politicians are already talking about an overhaul of the regulation. In particular, they want to see a renewed focus on tougher enforcement – perhaps through a centralized body rather than the current system of national regulators.
If that’s the case, GDPR could become an even more important issue for dealmakers. For many businesses, data protection issues may come to represent a make or break for the transactions. Verifying GDPR and carrying out a robust evaluation of the target’s data protection policies and practices is absolutely necessary to maximize compliance and minimize GDPR risks and breaches.

About the Author

Back to list

Read also