If a potential acquisition target does business in the European Union or stores data related to EU-based individuals, it’s important to evaluate the company’s readiness for the EU General Data Protection Regulation (GDPR) during IT due diligence.
In May 2016, the European Union finalized the General Data Protection Regulation (GDPR). It will go into effect in May 2018.
The GDPR is intended to increase the security of the personal data of EU citizens and to create protocols that must be followed by all companies doing business in the EU, regardless of the location in which they operate.
This means, for example, that US companies that offer products and services to individuals in the EU fall under these regulations. Regardless of Brexit, the UK has indicated that it intends to "opt-in" to GDPR.
While large companies around the world have been preparing for GDPR compliance, many smaller companies have probably not even heard of it as of late 2017.
It’s likely that best practices for compliance for smaller business will be a moving target as the implementation date approaches, but here are some things to consider when discussing GDPR with your target company during IT due diligence:
- Companies with at least 250 employees or whose business is primarily focused on processing personal data must appoint a "data protection officer" (DPO) whose responsibility is to oversee enforcement of GDPR. This can in theory be either an employee or consultant. Either way, with an already-existing shortage of qualified IT security professionals, creating new demands for these skills will only make it harder to hire and recruit DPOs.
- The GDPR requires the DPOs at affected companies to perform "privacy impact assessments" to identify and mitigate risks related to the processing of personal data.
- The GDPR will likely require applications to be redesigned to add data encryption and to reduce collection of unnecessary data.
- Fines related to noncompliance with the GDPR can be huge – in some cases up to 4% of the company’s prior year worldwide revenue.
If an acquisition target is impacted by GDPR, compliance can potentially be very expensive and these costs should be considered very carefully when it comes to the transaction price and implementation budget.
For more information, see the official EU personal data protection page.