Having completed the due diligence process and proceeded with the transaction the parties data protection duties for the parties does not end. Below is a list of actions both the Buyer and Seller need to consider after the transaction has been completed.
- Carryout an audit of the newly acquired data, data processing procedures and to ensure compliance with Data Protection Principles.
- Integrate the existing data with the newly acquired data.
- Update any notifications with the Commissioner.
- Remove all unwanted data.
- Consolidate or novate any agreements the Seller had with the previous data processors.
- Carryout an audit to ensure it is still compliant with Data Protection Principles.
- Remove all unwanted data and data it no longer requires.
- Ensure all notifications are up to date.
- Contact unsuccessful Buyers and request they return or remove all personal data disclosed to them.
It is imperative that both parties comply with the Data Protection Principles and ensure they work with the Commissioner to resolve any outstanding issues, as the Commissioner has the power to fine infringing parties up to Â£500,000.00 should they be satisfied that:
- there has been a serious contravention
- of a kind likely to cause substantial damage or distress
- contravention was deliberate
- or the data controller ought to have known there was a risk the contravention would occur and
- the data controller failed to take steps to prevent the contravention.
Prior to any transaction all parties should ensure they are compliant with the relevant Data Protection Principles, to ensure they do not risk facing a fine by the Commissioner and to ensure the transaction proceeds as efficiently as possible.