A non-exhaustive list of issues a Buyer and Seller should consider during the due diligence process is set out below:
Issues for the Buyer
- Ensure data transferred to them by the seller can be easily returned should the transaction fall through.
- Carryout a due diligence questionnaire highlighting any notifications to the Commissioner, outstanding subject access requests, data protection policies, the sellerÂs compliance procedures and data management systems, fair processing notices, copies of all agreements in relation to data processing or the data controller, etc.
- Ensure all personal data received by the buyer is anonymised, so as to avoid sending out notifications.
Issues for the Seller
- Data should be anonymised prior to disclosure.
- Everyone working on the transaction should know their data protection responsibilities.
- Confidentiality agreements should be put in place.
- Agreements between the parties ensuring the data is only used for the purposes of this transaction.
- Practical measures should be employed to ensure adequate security of the data.
- Any use of a data room should involve supervised and controlled access, with all parties ensuring they comply with any rules and printing restrictions.
- Prior to any external involvement in the setting up of the data room, a written contract should be put in place to ensure compliance with the principles and no unauthorised or unlawful processing is taking place.Â
- Adequate protection is required if data is being transferred outside the EEA.
The fourth part of the series covers the warranties a Buyer should seek when buying a business.