Data minimization and M&A due diligence
Data minimization is a principle of personal data processing under GDPR (Article 5(1)(c)). In M&A, the acquiror tends to send the target a very comprehensive list of data to be shared. As data protection compliance and awareness grows, these lists are becoming more nuanced, and there are restrictions on both the target and on the acquiror in this regard. For the acquiror, they need to give significant thought to which data they actual need to process in order to pursue their legitimate interest. This will include the various stages of M&A. The acquiror may require some data before a term sheet is produced, most of the data for diligence, more for follow-up questions and investigations, most data post-signing, and finally additional data post-closing. Considering the earlier stages, in many cases data can be redacted, but this can be very time consuming and often ineffective. Take HR data for example. The personal data that an acquiror most requires is generally tied to the performance of various key individuals. People issues have been identified by multiple studies as one of the main factors in the high failure rate for M&A, and proper diligence of the people in the target organization is crucial in due diligence. Redaction is therefore hardly feasible, aside from technical difficulties. What is feasible and required, is to consider which data is necessitated by the transaction; there is a tendency of professionals to take the firehose approach, among other reasons because due diligence is a very significant source of billable hours. Advisors ought to help their clients ask for the data that is actually most pertinent at every stage and minimize the data processed not by redacting details from personnel files, but by processing the relevant files. Likewise, not everyone on the diligence team needs access to all the data. Though confidentiality is standard in all pre-deal negotiations and diligence processes, data minimization is not. Acquirors ought to handle data on a need to know basis and POLP – principle of least privilege basis. The necessity of the data is often driven in practice by the nature of the integration. Some acquirors make strategic acquisitions with no intention of integrating post-closing. In that case, much of the personal data typically shared in due diligence will be of no interest or relevance to the acquiror, and therefore should not be processed. Conversely, where synergies include layoffs, the exact performance metrics of various personnel will be a key driver of the transaction and will be a core part of the diligence. Necessity, and as a result, the legitimacy of the interest and the lawful basis of the processing, may therefore depend on the nature of the transaction and of the post-transaction. When approaching due diligence, a quick conversation with the acquiror about their plans and ambitions should the deal move ahead, will help ensure the proper lawful basis for the processing at the diligence stage.