Buying a company: don’t forget the data protection risks

Padlock on Keyboard Print publication


The rapid pace of developments in technology has enabled business to deploy increasingly sophisticated marketing, using personal data to focus on the individual customer. However, the flipside of amassing substantial volumes of personal data is the struggle to ensure that the data is held securely and that it is processed in accordance with the strict requirements of the Data Protection Act 1998 (the Act). Purchasers of companies that have amassed a volume of personal data need to ensure that the company they are buying is dealing with these twin issues of safeguarding data security and compliant data processing.

Advanced technology and personal data

The use of advanced technology and data analysis is a fact of life across many sectors. For example:

  • the use of cookies and similar tracking devices on websites enable customer/consumer habits to be scrutinised
  • loyalty cards provide a mass of data that can be analysed, enabling marketing that focuses on the individual customer/consumer. This can be combined with the use of location data so that, for example, stores can send text messages to their shoppers as they wander around a store
  • the use of in-store cameras to monitor customer activity can provide information that can be analysed to enhance future sales; for example, whether a product is not attracting sufficient attention and needs to be repositioned; whether a product is being picked up and put down – maybe suggesting a problem with the packaging – and whether certain parts of the store are attracting more footfall at certain times of day
  • restaurants and cafés habitually offer free wifi. This involves the customer providing their name, email address and often phone number, all of which is personal data
  • businesses increasingly integrate with applications made by third parties, such as payment providers. Correct protocols need to be in place for the transmission of personal data from one business to another.

Other advanced technologies are heading our way – facial scanning, for example, is not yet commonplace but could be used to determine the gender and age of a viewer and, when used in conjunction with location data, could be a powerful weapon for marketers.

Compliant data processing

It is understandable that businesses are more concerned about how to get the best from cutting edge technology rather than more prosaic issues such as compliance with data privacy laws. The point was made by the Information Commissioner’s Office (ICO) in guidance published in December 2013 highlighting the data protection issues that should be addressed by developers of apps.

However, the consequences of non-compliance can be serious. A fine of up to £500,000 can be imposed for a data protection breach but the greater damage may be the reputational damage that can be suffered by the company in breach.

“Personal data” is defined in the Act as data that relates to an identifiable living individual. “Identifiable” means that the individual can be identified from that data, either alone or in combination with other information. Not all marketing methods using advanced technology will be capable of being classified as “personal data” in isolation; however, if any data, in combination with other information, can lead to an individual being identified, this will make the information “personal data”.

The Act sets out how organisations may use personal data, including, for example, that it must be processed fairly and lawfully in accordance with conditions specified in the Act. Other requirements include that personal data must be accurate and kept no longer than is necessary.

Direct electronic marketing is governed by the very specific rules contained in the Privacy and Electronic (EC Directive) Communications Regulations 2003 and, as with the Act, the ICO has published detailed guidance on the interpretation of this legislation in addition to numerous best practice requirements that should be considered.

Cybercrime and data security

The risks of cybercrime are becoming increasingly prevalent for businesses of all sizes and trading in all sectors. In 2014, one million new malware threats were released online every day. A report from cybersecurity firm Symantec in April on internet security threats ranked the UK as global number 2 and Europe’s number 1 for targeted attacks in 2014. Significantly, the issue is not confined to big business; two-thirds of all targeted attacks struck small and medium-sized businesses (so much so that the government has recently proposed a financial support scheme to protect small businesses operating online).

Corporate due diligence on a target company should include an assessment of the policies, procedures and systems to safeguard against a security breach. There are several contexts in which this matters:

  • the directors. Directors have a statutory duty to manage the affairs of a company using reasonable skill, care and diligence. It is no longer sufficient to leave the IT to the “geeks in the basement”, cross fingers and hope all will be well. Purchasers of companies should be looking to see whether the target has undertaken a full and documented analysis of the risks of cybercrime and review the policies, procedures, resources and security measures that have been put in place to deal with the risk
  • the regulators. The Act obliges businesses to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and businesses must be prepared to investigate and self-report actual or potential breaches to the ICO and professionally. Industry-specific regulators, such as the Financial Conduct Authority, have also started to issue guidance to businesses operating in their sector. It is important to keep up with the demands of regulators to avoid the significant regulatory intrusion, enforcement and hefty financial sanctions that can result from default
  •  your suppliers. Nowadays much of the IT function is outsourced, notably by way of cloud computing. If something goes wrong it is important that the business, which is effectively relinquishing control over its data, has adequate contractual redress against the third-party supplier, e.g. the flexibility to change service provision and manage emerging threats. Contractual documentation should be reviewed
  • your business partners. The loss or compromise of customer data could have a profound impact on your commercial relationships and give rise to a legal claim and ensuing financial liability and cost. Purchasers acquiring a company should investigate the extent of the target’s contractual obligations in relation to customer data and whether these are covered by contractual exclusions and limitations of liability clauses which may be designed for other purposes. Consider also whether they may impose costly and overly stringent security standards that are disproportionate in the context of the purchaser’s own business
  • your employees. The risk of employee theft is not a new thing but the opportunities are greater than ever. Additionally staff, particularly in more senior roles, may now be using their own devices to access data under BYOD schemes. A purchaser should investigate the target’s policies and procedures (and check they are applied) regarding employee access to data and ensure that employment contracts contain controls to allow the secure recovery and retention of data in the event that an employee wants to leave the business
  • your customers. Recent UK case law in relation to the Act suggests consumers can bring claims for distress arising from a data security breach even if they have suffered no financial loss. As claims brought against the target company will be brought within the purchaser’s group, it is important to ensure that there are no current or potential claims arising from a data breach.

What should purchasers of companies be doing?

Members of the public want to know how their data is being used, how secure it is and who it is being shared with, and why. To that end, companies must keep customers informed about how their behaviour is being tracked, both in the online and physical environments, and how their data will be used. Businesses should be upfront about what monitoring they will be doing and explain at appropriate junctures the benefits to customers and how their anonymity will be protected.

Where personal data is going to be collected and processed, customers should be given a clear, fair and unconditional way to opt out of this; companies should ensure that they obtain compliant consents from customers to process or share their data and certainly before it is used to issue direct marketing.

As part of their due diligence purchasers should be checking that the target company is doing all this or else they may find they have acquired a company or group where a data protection breach is likely (or indeed has happened already, with the purchaser picking up the bill for it). Any concerns should be addressed in the sale and purchase documentation through enhanced warranty coverage or a pound for pound indemnity.

Purchasers should also review the target’s data security systems, measures, procedures and documentation, as outlined above.

If you are considering a corporate acquisition and need advice on how to ensure you are not acquiring any potential hidden liabilities – data protection-related or otherwise – please speak to John Hamer.