Most organisations have moved on from the implementation phase of their GDPR project to deal with “business as usual” queries. In this, our second “GDPR bitesize” series, we discuss a number of common questions on the impact of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) in day-to-day HR practice, this edition focusing on the sharing of staff information during corporate transactions.
Even before the GDPR came into effect on 25 May 2018, there was of course an obligation to comply with data privacy legislation when sharing staff information between parties during a corporate transaction. That said, many parties and their advisers had often been in the habit of putting privacy concerns to one side in the face of a fast moving deal. Traditionally, the focus has been on getting the seller to reveal as much staff information as possible to enable the buyer to carry out a full evaluation of personnel structure, costs, and potential liabilities.
The increased territorial scope of the GDPR, its more stringent requirements, and the far higher penalties for non-compliance have lead to buyers, sellers and their stakeholders and advisers becoming much more circumspect about sharing personal data during a corporate transaction. Nevertheless, there remains a conflict between the commercial realities of a deal and the desire to remain compliant with data privacy obligations.
All parties need to be alive to privacy concerns at every stage of a transaction: from the drafting of heads of terms and confidentiality agreements; through carrying out the diligence process and negotiating the purchase agreement and disclosure letter; and finally implementing post deal integration.
As an initial step, a data mapping exercise should be carried out at the start of the process, alongside a consideration of what lawful ground may be relied on to share the data in the manner proposed. This analysis may form part of an overall data protection impact assessment (and/or legitimate interests assessment), and the results of these should be recorded.
The emphasis should always be on minimising the amount of data shared with third parties, through anonymization, pseudonymisation, and/or providing aggregate or summary information where possible. Extreme caution should be exercised before disclosing any “special category” data such as health information and trade union membership details. Existing privacy notices should be reviewed to make sure they cover situations in which personal data may be shared as part of a corporate transaction. Both buyer and seller will need to decide what, if any, fresh notification should be provided to employees or whether it is possible to rely on a statutory exemption.
Buyers and sellers will need to be alive to the possibility of staff information being transferred outside of the EEA, and what lawful gateway will be relied on to effect this transfer.
Measures should also be put in place to ensure that reputable software and platform providers are enlisted for virtual data rooms. Password protection and data encryption should be used as standard. Similar contractual provisions should be in place as between seller on the one hand, and buyer/data room providers on the other. This means that service contracts and non-disclosure agreements should include express protection for personal data including: tight controls on access to personal data and transfer outside the EEA; measures for retention and disclosure; and mechanisms to deal with potential data breaches and requests from staff regarding their data.
In accordance with the accountability principle, all parties should keep a record of the steps they have taken towards GDPR compliance, including security measures enacted to protect data and the thought processes behind certain decisions e.g. the lawful basis for processing and staff notification. This obligation goes hand in hand with the separate duty to maintain a record of processing.
If you would like to discuss any aspects of this article or would like further support please get in touch with your usual contact within the CMS employment team.