Starting or acquiring a new business can be an exciting, stressful time. With so many details to look after, you may not remember your responsibilities concerning the processing of personal data. If the business you are purchasing collects data on its customers, employees, vendors, or other stakeholders, and if you plan to collect personal data, you have some questions to ask yourself before moving forward.
Does the Previous Business Owner Have the Right to Transfer Personal Data?
Before the GDPR took effect a few years ago, most business owners assumed that they owned the personal data they collected. They were essentially free to use it how they wished and could turn a profit from its use. However, the GDPR firmly established that personal data belongs to data subjects, not businesses. As such, businesses cannot transfer this data indiscriminately.
Circumstances that would prevent the transfer of data from the seller to you include:
- The seller’s privacy policies do not allow for the sale of business or change of ownership.
- Data subjects have provided their consent but this consent cannot be lawfully transferred to you.
- The seller processes data on behalf of a third party, and the data sharing agreements do not allow for a change of ownership or control.
If you are merging a business into your own, keep in mind that your existing privacy policy may not apply to the new data you acquire. You may also have to renew consent from data subjects to continue using their personal data after the change of ownership.
Do You Have the Right to Use Personal Data After Transfer?
The legal transfer of the data is one thing; your right to use the data afterward is another. You must ensure you have the legal right to use this data and understand the restrictions that apply to it. Consider the purposes you have for this data before you start using it.
Ask yourself if you’ll use the data for the same purpose as the previous owner and if not, if you still have a lawful basis for processing the data. Also, determine if the consent data subjects gave to the previous business owner is transferable.
Where the data will be stored and who it’s shared with are other important concerns. If the data is stored outside the EU, you should have it in a country approved by the European Commission. To share the data with others, you need appropriate data-sharing agreements in place as well.
What Are the Potential Liabilities?
You might be taking on the liabilities of the seller when purchasing the business. If that’s the case, you must have a clear understanding of those liabilities concerning data protection and processing. Conducting a thorough audit will help you identify these liabilities.
An audit of the previous business owner’s data processing could include points such as:
- Accurate mapping and cataloguing of personal data
- Up-to-date Records of Processing Activities
- Complete and robust DPIAs for high-risk data sets
- Complete Legitimate Interest Assessments
- Comprehensive consent records
- Who the data has been shared with and if other processors handled it properly
- Breaches
- Data requests that haven’t received responses yet
- Pending claims or investigations concerning data protection
How Should You Handle Personal Data Processing During the Transaction?
Data protection should feature in the merger or transaction process itself. You, the seller, and your agents will have access to the personal data on an increasing scale as the process goes on, so you must ensure protective measures are in place to ensure compliance.
You may require non-disclosure agreements with robust data protection clauses, data-sharing agreements, and updated privacy policies for the acquisition process. The parties should also pay special attention to the data room, ensuring it’s only populated with the necessary data and accessible only to authorized individuals.
Keeping Data Protection in Mind
Unfortunately, many new businesses don’t keep personal data protection in mind. High data volumes and the complexity of processing it make data protection a challenging aspect of building a new business. If your business is large enough, you may also require a data protection officer (DPO) to oversee the details.
Relying on outsourced DPO services can help you become and stay compliant, without extra expense. Keep data protection in mind as you build your new business and you’ll be less likely to have problems later on.