Business sales, whether sales of shares or of assets, are usually complex, needing a range of people working closely together to lead to a successful outcome. Due diligence and disclosure exercises are a critical part of the process, requiring the provision and collation of voluminous and detailed information about the target business and its employees.
In this note, we will be exploring how the parties deal and comply with their data protection obligations, in respect of sharing staff information. The buyer of a business needs to delve deeply to find out as much staff information as it can to carry out a full evaluation of the personnel structure, history, costs, risks, future problems and potential liabilities. However, under current data protection legislation, an employee’s personal data must be processed lawfully, fairly and transparently and employees must be told how their data is being processed. This creates a conundrum, because the stringent requirements, and penalties for non-compliance under GDPR and the Data Protection Act 2018 mean buyers, sellers and their advisers need to be particularly cautious about sharing personal data and how this is done during a corporate transaction. This clearly creates a conflict between what buyers will feel they need to know, and what a seller can actually (legally) disclose.
What sellers need to know
We’ve drawn together some guidance here on aspects sellers need to know and act on.
Initially, the seller should consider the following in relation to the confidential information they hold:
- Determine what personal data it has, and the basis on which it is entitled to process and share it.
- Be alive to privacy issues at every stage of the transaction involving an employee’s personal data being disclosed, stored, or otherwise processed at all times throughout the deal. This is from the initial non-disclosure agreement (NDA), drafting of the heads of terms, through to carrying out the due diligence exercise, between signing and completion; and finally post-completion integration.
- Minimise the amount of employee information and data shared with third parties. Before sending the information to other parties, or uploading it to a virtual deal room, ensure that the data is anonymised, redacted or pseudonymised, where possible. Ensure that personal data that has been anonymised, so that individuals cannot be identified from it by the recipient, Anonymisation or pseudonymisation must not be capable of being circumvented by third parties being able to identify the individuals by cross referencing other sources, or in other indirect ways.
When sharing personal data to the buyer and as recommended above, the information can be:
- Anonymised - Personal data that has been anonymised, so that individuals cannot be identified from it by the recipient, will not be personal data in the hands of that recipient. This is information in which individuals cannot be identified by the person who receives the information. Any personal data that is necessary to a potential buyer in relation to the employees of the target company should be sufficiently anonymised prior to sending it to the buyer, their personal representatives, or uploaded to a data room.
- Redacted - sellers disclosing employee information during a transaction should redact as much information identifying the employee as possible. Part 2 of the ICO Employment Practices Code Supplementary Guidance notes the issues that may arise, including that anonymisation may be rendered useless with respect to obviously identifiable staff. Sellers should be aware that this guidance has not been updated since the Data Protection Act 2018 became law.
- Pseudonymised - the process of editing data subjects’ personal information making it impossible to identify the data subject in question without additional information;, although to be classified as proper pseudonymised information, the additional information must be itself separate from the pseudonymised data. It must benefit from its own security so that the data is not associated with that relevant data subject.
Nevertheless, removing names will help protect privacy overall, and as such should be done. A seller must bear in mind that if personal data cannot be properly anonymised (for example, where names are redacted but job titles are left in, so individuals can still be identified) then it is still personal data for the purposes of data protection law.
Use of data rooms during a transaction
Data rooms (or deal rooms) tend to be used to store all due diligence and documents relating to the sale of the company. These documents may include confidential information and personal data in relation to the target company’s employees. It is therefore crucial that processes are in place to ensure the security of this information.
The service the data rooms provide should be documented by means of a services agreement which will detail how personal data in relation to employees (and others related to the sale) can be processed. Under GDPR, the provider of the data room will be a processor. According to GDPR, certain clauses must therefore be inserted into the services agreement including:
- The processer ensures that anyone who has access to the personal data has agreed to keep the data confidential.
- That the processor shall only process personal data upon instructions from the controller, as well as deletes and/or returns all data to the controller upon request.
- The process ensures appropriate security of the data in the data room.
The seller’s main priority is to ensure that any personal data held in the data room is as secure as possible. The seller must be aware of the individuals involved and who have access to the data room. Access controls can be put in place to increase security.
The seller must be careful about what personal data it uploads to the data room and that it only uploads data in relation to its employees that is necessary for the purpose of the transaction – following the guidance we have referred to above. Practically, where possible, the seller must ensure that personal data uploaded to the data room is either pseudonymised, redacted or anonymised.
What should the buyer do?
There are a number of elements to consider:
- Special categories of personal data (for example health data, data on racial or ethnic origin or trade union membership) require particularly careful handling to minimise the risk of being in breach of data protection requirements. Access to this should be limited to those who need to receive it for the purposes of the transaction, and, if the transaction completes, for the purposes of the business in accordance with the law.
- Review its’ existing privacy notices and policies to make sure they cover situations in which personal data may be shared or received as part of a business sale. Both parties will need to decide what, if any, fresh notification should be provided to employees, or whether it is possible to rely on a statutory exemption.
- Ensure that it has its’ own systems in place that will appropriately protect the personal data and information it receives about your staff (and all other confidential information disclosed).
In the ICO’s Employment Practices Code (guidance many HR professionals and employers use as reference) though the obligation to provide an explanation to employees as to how their personal data is being processed does not need complying with where, in a merger or acquisition of a company, the ‘inside information’ must be protected. Companies must bear in mind this guidance has not been updated in line with the UK GDPR and is due to be replaced with a more user-friendly online resource.
Whilst the GDPR requires a seller to tell data subjects if their personal data is being disclosed, there is often a need to ensure commercial secrecy. When a proposed deal is taking place, an employer may seek to rely on the legitimate interest ground for processing their employee’s personal data. An employer may rely on this to show that by processing the employee data, it is a necessary for the purposes of legitimate interests of the business.
The company must however be able to show that it has balanced its’ own legitimate reasons for processing the data against the rights and freedoms of the data subject. Practically, we recommend companies who rely on this should take steps to maintain an audit trail of its actions and decisions throughout the transaction.
Corporate transactions are complex, multifaceted and often fast-paced.
The impetus to get the deal done can be relentless and protecting the personal data of employees may seem like an obstacle and an inconvenience to the parties and their professional teams driving it forward. However – protect it you must.
It’s the legal obligation of everyone – especially the buyer and the seller, but also of the supporting professional teams. Getting it wrong can be very costly in fines, employee relations, negative publicity and even warranty claims.