Skip to main content

Due diligence when sharing data following mergers and acquisitions

Contents

At a glance

If a merger or acquisition or other change in organisational structure means that you have to transfer data to a different or additional controller, you must consider data sharing as part of the due diligence you carry out when taking on the organisation and its obligations. This includes establishing the purposes for which the data was originally obtained, your lawful basis for sharing it, and whether these have changed following the merger or acquisition.

You must comply with the data protection principles, and document your data sharing.

Consider when and how you will inform individual data subjects about what’s happening to their data. You must also ensure sound governance, accountability and security.

In more detail

Introduction

This section is of particular relevance to the private sector. It highlights situations such as mergers and acquisitions, or other changes in organisational structure, where you need to make good data sharing practice a priority.

How does data sharing apply to mergers and acquisitions?

Data sharing considerations may become a priority when a merger or acquisition or other change in organisational structure means that you have to transfer data to a different organisation. For example, as part of a takeover; or on insolvency, data might be sold as an asset to a different legal personality. You must take care if, as a result of the changes, there is a change in the controller of the data, or if the data is being shared with an additional controller. This is the case whether you are the sharing or recipient controller. You might be an insolvency practitioner or other adviser taking the role of controller for the time being, or advising a different controller. You need to:

  • ensure that you consider the data sharing as part of the due diligence you carry out;
  • follow this data sharing code;
  • establish what data you are transferring;
  • identify the purposes for which the data was originally obtained;
  • establish your lawful basis for sharing the data;
  • ensure you comply with the data processing principles - especially lawfulness, fairness and transparency to start with;
  • document the data sharing;
  • seek technical advice before sharing data where different systems are involved: there is a potential security risk that could result in the loss, corruption or degradation of the data; and
  • consider when and how you will inform data subjects about what is happening. Under the UK GDPR you are required to keep individual data subjects informed about certain changes relating to the processing of their data, and they may have a right to object. Please see the guidance on individual rights on the ICO website. The same considerations may apply in reverse to the controller receiving the data.

How do we manage shared data following a merger or restructure or other change of controller?

On a practical level, it can be difficult to manage shared data immediately after a change of this kind, especially if you are using different databases, or you are trying to integrate different systems. It is particularly important in this period to consider the governance and accountability requirements of the UK GDPR. You must:

  • check that the data records are accurate and up to date;
  • ensure you document what you do with the data;
  • adhere to a consistent retention policy for all records; and
  • ensure appropriate security is in place.

Further reading

Guidance on individual rights under the UK GDPR