GDPR compliance – an opportunity for adding value in M&A

News | 11.12.17

Corporate and M&A
Data Protection (GDPR)
Personal data has become an increased important aspect of most M&A transactions as the majority of all businesses process information about employees, customers and/or others. In most M&A transactions, personal data is however only reviewed and dealt with from a compliance point of view.

GDPR compliance – an opportunity for adding value in M&A

With the strict and far-reaching new EU data protection regime that comes into force on 25 May 2018, many businesses have increased the focus on compliance with data protection requirements. The focus seems to be driven by the fear of sanctions, though, and less on the opportunities offered by the data protection rules. We believe that with the right focus businesses will not only experience a competitive advantage, but may also increase the deal value in M&A transactions.

The new data protection regime and key changes
The General Data Protection Regulation (GDPR) brings significant changes to EU data protection regulatory framework, many of which greatly affect businesses. The consequences of breaching the data protection regulation escalate dramatically under the GDPR, which sets the maximum fine for a breach to €20 million or 4% of annual global turnover, whichever is greater. In addition to the fines, consent becomes harder for businesses to obtain and to rely on, the rights granted to data subjects are strengthened and the introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are some of the key changes. Privacy by design means that privacy principles such as minimal collection of personal data and transparency should be implemented into systems as such. Privacy by default means that the privacy settings should be fair and lawful by default without any manual input from the end user.

Focus on privacy compliance in due diligence
With the GDPR, there has also been an increasing focus on privacy compliance in company due diligence, both on the buyer and seller side. Lack of documentation of compliance with key privacy requirements may lead to a lower valuation of the company if the buyer perceives that there is a privacy risk. An increasing number of sellers are taking into account the risks of privacy compliance by implementing a specific privacy vendor due diligence where the focus is to eliminate unnecessary non-compliance through which to increase the deal value.

The opportunities in M&A transactions
We believe that due to the increased focus on privacy caused by the GDPR, the deal value may not only be affected by personal data compliance or the lack of it. The privacy by design and by default requirements will force businesses to consider data protection during the initial phase when developing new products and services, rather than as an afterthought. Businesses that do not adhere to this change run the risk of falling behind.

If the target company has taken advantages of the opportunities offered by the data protection rules, this may increase the deal value. Many transactions are driven by the buyer's appetite for the value represented by the target company's possession of large quantities of valuable personal data and the idea that the buyer will be able to further capitalize on this value going forward. Target companies with an outlined strategy with regard to personal data may be easier to value for potential buyers, as opposed to companies that lack such strategy and not are able to demonstrate the company's level of compliance. Buyers are also likely to appreciate that they will not have to implement a new privacy strategy and adequate legal framework post-closing of the transaction, which often is expensive, time consuming and challenging to implement successfully.

We firmly think that, companies generally should be able achieve competitive advantage by having outlined a strategy that focuses on making efficient and cost-effective data protection measures while at the same time being within the regulatory framework and customer expectations. Such strategy will in general boost the value of the company. We also believe that companies being accurate and strict in data processing and showing transparency towards their customers will be considered more secure and trustworthy players. These factors are likely to be emphasized by potential buyers in the valuation of target companies.

The reward of being a step ahead
The rewards for greater utilization of personal data are significant for companies with, inter alia, the increased number of online stores, the extended use of web portals with login options and online identifiers (cookies, etc.). Thus, this will not only be important with the emergence of artificial intelligence, block chain and ICOs, but for all businesses collecting, using or processing customer information within both B2B and B2C.

Summing up, our message is that potential sellers who focus on dealing with data protection matters prior to an M&A transaction, are likely to increase the deal value significantly as it will reduce the risk for the buyer connected to potential fines and at the same time reduce the buyer's costs since no or only few adjustments must be made post-closing.

Simonsen Vogt Wiig has extensive knowledge and experience in assisting both large national and international companies with data protection compliance and set-up of privacy policies and legal framework in line with commercial considerations and applicable legal requirements. Simonsen Vogt Wiig also has considerable focus on and experience with these issues from an M&A perspective.