GDPR: Spotlight on M&A Cyber Due Diligence

This blog discusses our views on GDPR Cyber due diligence, both generally and in an M&A context.

Figure 1 Photo by Hieu Vu Minh on Unsplash

The General Data Protection Regulation (GDPR) has been law for some time now. There have been a number of ups and downs consisting of personal data breaches; notices of intention to fine and efforts to understand online tracking, invisible processing, geolocation matching and an increased focus on the way in which companies process personal data.


Figure 2

Cyber ‘Snake Oil’

Yet, short of the scaremongering, snake oil and ambulance chaser stories professing “Fully GDPR Compliant” solutions (is that even a thing?) there is something that at tlam we have seen an increased focus on: adequate and robust cyber security assurance. We recently were re-certified for our ISO270001 certification and thought the best way to help our clients, suppliers and colleagues is to share some of our ‘secret sauce’ on how to operationalise privacy in your business.

We have lost count of the number of privacy policies that cross our desks –


– but do you? There are so many businesses that are still lacking adequate privacy policies. Some still have the nerve to charge £10 per data subject access request.

Figure 3 Photo by Agence Olloweb on Unsplash

Data Deep dive analysis

One thing that is often relegated during business transactions is the importance of auditing and properly mapping privacy posture and associated risks. Mergers and Acquisitions, disposals, joint ventures and public and private fundraisings are no exception.

Often, if they were even considered at all, privacy matters are hastily and superficially completed during the due diligence (DD) phase and bunged in during post-merger integration (PMI). However, post-GDPR, robust privacy policies have become a yardstick to gauge a target company’s “promise to perfect privacy”.

Corporate lawyers are waking up to the idea of advising their clients to consider privacy at the earliest opportunity. This is a welcome step. By having a proper picture of the security, organisational controls and company policies it allows your lawyer to understand, investigate and (where appropriate) draft narrow warranties and indemnities that account for gaps in compliance.

The problem is often countenanced by the fact that privacy is a tricky subject. It transcends boundaries between IT, data protection, risk management and overall senior management understanding. You should not expect a lawyer to understand all the boundaries between data architecture, encryption techniques, Root Access Tools, deep packet inspection, methods to identify spoofed IP / Mac Addresses or map the Entity Relationship Diagrams (ERDs) - that's our job. What the lawyer can do is call upon IT and privacy experts (like us) to assist in understanding the network architecture, registers of hardware assets, vendor maintenance agreements, business continuity and disaster recovery plans.

Questions for you to consider

During the due diligence phase, it is imperative to assess the areas of non-conformity and factor risk assessment drafting into the purchase decision. From a data protection perspective, the key areas to look at when conducting audits of the “Serious Privacy” mantra:

●     Records of processing activities (ROPAs) used to ascertain and evaluate the lawful purpose for which the target has been processing personal data and more importantly, whether the data can be processed for other purposes in the sense that if the data is not being used for something the data subject could reasonably expect it will fall foul of the purpose limitation principle under Article 5(1)(b) GDPR;

●     Data protection policies, privacy policies, records of unambiguous, affirmative consent; records of training the organisation has done for its employees;

●     Relevant data processing agreements and data sharing agreements;

●     Register of organisational and security measures the target has assessed very similar to the physical and / or environmental risks present in the Statement of Applicability (SOA) used for ISO270001;

●     The organisational charts and the responsibilities, duties and tasks that the Data Protection Officer (DPO) or equivalent has agreed to undertake. But do not take this at face value. Look beyond the contract, ask for specific projects and Data protection Impact assessment (DPIA) processes and results. In line with this, look at how the company has utilised the relevant balance of interests, necessity and proportionality tests.

The GDPR is not about ticking boxes and going through the motions, it concerns accountability so look to those who have made a reasonable effort to populate enriched documents highlighting the risks, their likelihood and severity.

Key action points:

The global data economy will only become increasingly more complex. Incorporating robust assurance and security control metrics and risk assessments into business investment decisions help granulise the risk allocation that a buyer is willing to accept. Full attention to the multiple correlated and interdependent cyber risks and network externalities are essential for successful negotiation and deal closure and post-merger integration.

In  carrying out these assurance audits of the processes, people and technology of the target company, a buyer is able to determine the remediation costs, the weaknesses identified and the risk mitigation measures and warranties it is willing to accept – which may have impact on price negotiations. By standardising the cyber due diligence practices, the buyer can form a holistic view of the risks and enable cyber security to cross the floor from IT departments to board room decision-making.

As companies who determine the purposes and means of processing, or as ones who act on others’ behalf, you will already have standardised your information security practices in line with GDPR. For those looking to transact and acquiring new business, when undertaking the M&A cyber due diligence, look for those companies that do seriously, “value [our] privacy”.