One of the key assets for a buyer of a retail business may well be the database of customers and/or interested consumers. This will apply particularly if there is an existing e-tail operation for the business, but even bricks and mortar operations frequently have mailing lists. Buyers should check if they are getting the database as part of the assets and if they are, be alive to the data protection issues raised by compliance with the UK GDPR.
- Buying from an administrator or liquidator, it’s unlikely that you are going to get any comfort about how well data protection compliance was handled prior to the sale. An administrator would typically request indemnities from the buyer against liability arising from the sale of the database. It’s worth finding out as much as you can about this issue, to ensure that you keep a consistent approach so as not to upset or irritate consumers. It is worth getting the existing policies, if at all possible, such as the privacy notice or policy that consumers were given, as well as any internal policies.
- Because you’ll probably be buying assets (rather than shares in the company) the identity of the ‘data controller’ will change to be the company that’s purchasing the assets. So it’s important to make sure that the company has paid the necessary fee to the Information Commissioner’s Office for the UK.
- You need to remember the importance of security for personal data (this is one of the main issues that the Information Commissioner’s Office is issuing penalties for), so if the database will continue to be stored on the same IT systems which you acquire, then you’ll need to carry out a thorough security audit on those systems soon after completion and carry out any improvements to resolve any issues identified. If there is a security breach, it won’t be a defence that you were innocently continuing to use inherited systems which you thought were OK but weren’t.
- You will also need to be prepared to contact everyone on the database and inform them that their personal data is now under the control of the new company, as well as telling them about revised contact details and any changes to the privacy policy operated under the old business.
- If any of the data processing is carried out by third parties, make sure that you ensure that they have new GDPR compliant contracts with the new controller. If sums are owed to these third party processors you may need to settle arrears to ensure a continuity of service. It’s important also to identify if any personal data is (or will be) transferred out of the UK internationally, as UKGDPR imposes restrictions on these transfers.
- Make sure that the database you are getting includes details of any marketing opt-outs, and that your new system is set up to honour these.
- Finally, if the business has customers in other countries, you may need to comply with rules outside the UK as well, so it is worth understanding which countries are involved and what compliance steps will be needed.
Fines for breach of UK GDPR can be up to £17.5m or 4% of global annual turnover (whichever is more) and the same again in the EU, so it is worth a bit of time and resource to reduce the risk of a breach as part of the acquisition.