If you are buying or selling a business it is likely that there is going to be a transfer of data, typically this can include the staff details, customer or suppliers data. A Seller should therefore carry out a review of the data protection procedures and compliance policies prior to the transaction taking place, so as to avoid any unnecessary delays in the transaction and give the seller the time to rectify any deficiencies.
A number of issues that the seller should be aware of prior to any transaction include:
Â Notification Compliance
o Inform the Commissioner that you are processing personal data this task should be carried out by the companyÂs data controller.
o If the processing of personal data is for the following
? Staff Administration
? Accounts and Records
? Advertising, Marketing and Public Relations
notifications do not need to be sent to the Commissioner.
o Notifications should be checked to ensure they are correct, renewed annually and the appropriate fee should be paid.
Â Compliance with the Principles
o Personal data must be fairly and lawfully processed, i.e. meet one of the conditions set out in Schedule 2 DPA.Â
o Processing of sensitive data should meet one of the conditions set out in Schedule 3 DPA.
o Companies must also fulfil the requirements set out in Part II of Schedule 1 to the DPA, which identifies the way companies may collect personal data and the information that needs to be provided to individuals prior to the processing of the data.
o Suitable technical, legal and organisational measures should be put in place to ensure the data is adequately protected. Adequate security measures, written contracts with data processors and verification checks to confirm whether employees are able to access the data, should all be put in place.
o There should be no transfer of personal data to countries outside of the EEA unless:
? It is for the performance or conclusion of a contract between, the data subject or any other person and data controller, at the request of the data subject.
? It is in the vital interests of the data subject, for reasons of substantial public interest or for the purposes of any legal proceedings and obtaining of any legal advice.
o Individuals are able to access their personal data and are able to force organisations to cease processing their personal data, if it is going to cause damage or distress to the individual.
o If the data is inaccurate the individual can obtain the relevant court order to have the data corrected, blocked or destroyed.
o If a company is looking to take advantage of the data by selling it, it would need to notify any individuals that the data may be sold to third parties in the future. This is usually done by updating its privacy policies on its website or by giving a fair processing notice.
o Any disclosure of the data to a potential buyer would require the seller to notify each individual that their personal data has been disclosed, so the seller should ensure all personal data is anonymous.
Identify any issues in relation to the data you hold will help you identify any problems and put in place procedures to ensure you comply with the DPA. The buyer should also carry out any necessary preparation work, by identifying which data is required, how they intend to use the data and how important the data is to the business they are purchasing.
The third article covers the due dilligence a Buyer and Seller should carry out during the transaction.Â