GDPR Compliance: New Rules for M&A?

Deal teams must understand implications for the due diligence and transaction processes.
By Tom Allen of Midaxo, an M&A Leadership Council partner organization

On May 25th, 2018, the major data privacy legislation known as General Data Protection Regulation (GDPR) takes effect. GDPR introduces substantial changes to existing European Union privacy laws and provides a regulatory framework for the treatment of personal data belonging to EU citizens. Given the linkage between personal data exchange and M&A transaction activity, teams engaged in deal making need to understand the implications to their due diligence and transaction processes.

The Basics 

Although GDPR is a reform specifically enacted in the EU, as ZDNet reports“...the reach of the legislation extends further than the borders of Europe itself, as companies based outside the region but with activity on 'European soil' will still need to comply.”

Broadly put, companies under GDPR are held accountable for how they handle individuals’ data. This will require improvement in existing data protection policies, impact assessments and document data processing activities. Additionally, it will increase compliance requirements for companies that have “regular and systematic monitoring” of a large-scale customer or user base – while addressing improvements in how consent is determined in offering or processing private data. Underneath GDPR, consent is closely scrutinized and becomes harder for companies to obtain. Furthermore, the framework introduces the concepts of ‘Privacy by Design’ and ‘Privacy by Default.’ The former means that minimal collection of personal data and transparency should be the default principles for companies using consumer data. The latter means that privacy settings should be fair and lawful regardless of what end users opt for. Read more.