The impact of the General Data Protection Regulation (GDPR) when selling your business

Posted on 30 Apr 2019

Most businesses process information about their customers, clients and employees. Therefore, GDPR will have an impact on the sale of the business.

The buyer will want to ensure that they find out as much information as possible about your business so that they are able to make an informed decision. Ordinarily you will receive a legal due diligence questionnaire via your solicitor which will need to be completed accurately. Due to the introduction of GDPR, there is expected to be an increased emphasis on data protection compliance. The buyer’s adviser will be looking closely at the answers provided to identify whether the business has been complying. It is very important that your business can demonstrate compliance, as the buyer’s adviser will be highlighting the sanctions which can be imposed for non-compliance to the prospective buyer.

It would be most beneficial for you to identify the data processed and review the procedures that you have in place before you commence the sale process. We have the necessary expertise to assist you with this at Swayne Johnson, as our Commercial team regularly deal with business sales and we have the specialist knowledge to provide advice on GDPR.

The buyer will want to obtain certain information including but not limited to, the type of personal data processed, how the business collects and stores the data, whether appropriate records have been kept, whether a data protection officer has been appointed and whether there are any data processing agreements with third parties.

If you are able to demonstrate that your business has carefully considered the relevant requirements of GDPR it will be a relief to a prospective buyer.

Having the insight into your business will then enable us to assist you with answering the due diligence questionnaire. We will be advising that the disclosure needs to be made in accordance with the lawfulness, fairness and transparency principle under the GDPR. It is highly likely that you will need to redact or anonymise personal data before providing it to the buyer. For example, information relating to employees and individual customers/clients and suppliers.

It is also anticipated that there will be more focus on the negotiations in respect of the data protection warranties, especially if the due diligence reveals that there are potential data protection liabilities. We are able to offer the necessary advice and provide you with an explanation in respect of your specific circumstances.