Simona Moisa, Dentons: Data protection challenges in legal due diligence operations

Whether you’re planning on a merger, an acquisition, a significant investment, etc., conducting a due diligence analysis is generally an essential step to getting the deal right. But the authorities’ increased focus on data privacy as well as the latest changes in this regulatory framework means added challenges and complexities. 

By Simona Moisa, Senior Associate, Dentons

Data forms the core of every due diligence process—whether it’s personal, confidential or classified—it would be impossible to carry out a proper DD analysis without this data being disclosed and collected. For that reason, it is important to understand that the General Data Protection Regulation, or GDPR, does not establish a blanket prohibition on disclosing personal information in due diligence operations.

It is nevertheless true that there are certain conditions that the parties involved in the due diligence analysis (sellers, buyers, consultants, etc.) must observe, in order for the processing of personal data to be permissible, as outlined below:

Read more about

Dentons and PPC Romania team up on pioneering a utilities procurement compliance guide

read more

Which data is personal data in a due diligence?

Generally speaking, given the complexity and wide range of documents disclosed in a due diligence operation, it can involve any or all of the following types of data:

• Data governed by the GDPR, which ensures protection of individuals’ personal information
• Data and information subject to business secrecy regulations, which safeguard proprietary knowledge and trade secrets
• Data and information covered by confidentiality agreements to which the target company is a party of
• All other data and information retained by the target company, which may be safeguarded through alternative means

This article focuses on the first category—Data governed by the GDPR. Below, we explore the key considerations and best practices to protect personal information, with the observance of data privacy regulations in a due diligence process.

The law defines personal data/information as any information that can directly or indirectly identify an individual, particularly by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.

As this definition is broad, here are some examples of personal data that may be disclosed during a due diligence process:

• Data related to employees
• Data related to the management team
• Data related to representative bodies (employee level)
• Data related to customers, etc.

Determining the correct legal basis

In a due diligence operation, the processing of personal data is typically based on the legitimate interest of the data controller, in this case, the target company. In other words, the target company has a legitimate interest in providing comprehensive details, including personal data, to other involved parties, to facilitate an informed decision-making process.

However, while this is typically the legal basis for processing activities in a due diligence analysis, an evaluation should be conducted for each situation, as every project has its own unique circumstances.

Data minimization

Even though disclosing personal data is allowed in a due diligence analysis, it is recommended to proceed with caution and attention, particularly when disclosing a large volume of data. The data minimization principle dictates that only personal information relevant to the processing purpose should be collected. Applying this principle to due diligence operations essentially means sharing only necessary and relevant information with potential buyers/bidders and others involved.

For instance, the target company may legally disclose personal data related to customers, especially pertinent in Business-to-Consumer (B2C) models. This could include detailed analytics on customer demographics, purchasing behaviors, satisfaction levels, and any customer feedback mechanisms in place. However if the target company included its database with all customer contact information, this could violate the data minimization principle, as it is unnecessary and irrelevant in due diligence analysis.

Another example could be related to employee personal data that may be disclosed in the due diligence process. Under the GDPR, the target company could disclose such employee data as employees  demographics, roles, any representative bodies (e.g., unions or works councils), insights into the composition and capabilities of the management team their experience, qualifications, etc. However, disclosing all employment contracts concluded at the target-company level—if doing so would include the employees’ personal data to the disclosed information—could be considered a breach of the data minimization principle. A potential work-around is to provide the information in an aggregated form or to limit disclosure to one or two contracts that are representative of specific personnel categories (such as management staff, administrative staff, etc.).

In view of the above, here are several recommended approaches for incorporating data minimization into your due diligence processes:

• Identify the purpose: Clearly define the purpose of collecting and processing personal data during the due diligence process. Only process data that is necessary to achieve this purpose.
• Limit data collection: Collect only the minimum amount of personal data necessary to achieve the objectives of the due diligence process. Avoid processing extraneous or irrelevant information.
• Anonymize or pseudonymize data: Where possible, anonymize or pseudonymize personal data to reduce the risk of identifying individuals. This involves removing or encrypting personally identifiable information, in large volume of disclosed data, so that individuals cannot be directly identified.
• Use aggregate data: Instead of collecting individual-level data, aggregate data whenever possible. This involves combining data points to analyze trends and patterns without identifying specific individuals.
• Implement data retention rules: Establish clear policies for retaining data collected during the due diligence process. Only retain data for as long as necessary to fulfill the purpose for which it was collected, and securely dispose of data once it is no longer needed.

Ensuring integrity and security

Personal data must be handled in a manner that guarantees a reasonable level of security, which includes safeguarding against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. This should be accomplished through the implementation of appropriate technical or organizational measures, as outlined in Article 5 of the GDPR.

Below are several instances of best practices used to ensure integrity and security in your due diligence process:

• Data encryption: Personal data should be encrypted both in transit and at rest to prevent unauthorized access. The VDR (virtual data room) used should use encryption algorithms and protocols should be compliant with the industry standards to ensure that the data remains secure even if intercepted.
• Access controls: Limit access to personal data to only authorized individuals or teams.
• Authentication mechanisms: Strong authentication mechanisms, such as multi-factor authentication, should be in place to verify the identity of users accessing personal data. This helps prevent unauthorized access, even if login credentials are compromised.
• Data minimization: Only collect and retain personal data that is necessary for the due diligence process. Minimizing the amount of personal data reduces the risk exposure in case of a breach and simplifies compliance with data protection regulations.
• Data retention rules: This reduces the risk of data breaches and demonstrates compliance with data protection regulations. Such practices can be adopted at the organizational level of each party involved in collecting personal information. Moreover, parties may also establish distinct retention rules tailored to the processing activities of a specific due diligence process.
• Employee training and awareness: Providing comprehensive training and raising awareness among employees about the importance of personal data security and integrity is an essential part of the compliance with the GDPR accountability principle. Employees should be educated on best practices, security protocols and their responsibilities in handling personal data.