Back to Blog

The Importance of Data Due Diligence in a Digital World

Earlier this month, the UK’s independent regulator of data protection, the Information Commissioner’s Office (ICO) issued a notice of its intention to fine Marriott International more than £99 million for infringements of the General Data Protection Regulation (GDPR).

By way of background, the GDPR is the data protection law and came into force on 25 May 2018.

ICO Decision

One of the interesting aspects noted by the ICO in its explanation of the decision was that the data protection issue had arisen before Marriott International acquired Starwood’s group in 2016:

The ICO report notes:

It is believed the vulnerability began when systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.”

The Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The ICO’s comments highlight the importance of undertaking thorough legal, financial, commercial and technical due diligence or “DD” when acquiring a company or business. 

What is due diligence

Put simply, DD is the process that a buyer or investor should undertake prior to buying or investing in a company or business. In much the same way as someone purchasing a new house would engage in a process to confirm that the home is still standing. Under English law it is a buyer’s responsibility to make proper enquiries and investigations to avoid nasty surprises following their acquisition or investment.

Although some protections may be provided for in the sale and purchase agreement relating to the property, these will usually be limited by financial caps and timescales.

The company or business that is being purchased, and so the subject of the due diligence investigations, is often referred to as the target, and we will use this term below.

What Should DD Cover?

Initially, a solicitor will raise legal DD enquiries from the target and create an online ‘data room’ for key documents relating to the target to be uploaded to.  In the past a data room would have been a physical room and the purchaser would have had access to the documents.

Good DD should cover every aspect of the target in detail, aspects such as:

  • Conducting company searches of publicly available records to ascertain if there are any charges or anything unusual;

  • Checking constitutional documents such as the target’s articles of association and check if it provides any restrictions around the sale of the target;

  • Ensuring that the target complied with all filing requirements;

  • Reviewing copies of the latest accounts;

  • Reviewing contracts to establish, in particular, whether changing the target’s owners will mean that key contracts will terminate;

  • Assessing the target’s ownership of intellectual property rights  and ensuring that it is all properly owned by the Company;

  • Investigating whether the target owns or leases property? Establish whether there are any ongoing disputes relating to the target;

  • Seeking information in relation to employees and workers engaged by the company including in relation to salaries, length of service and outstanding or potential liabilities.

Data

We have heard a great deal about GDPR since it came into force across Europe.  When acquiring a target business it is important to establish historic behaviours in relation to the target’s management of personal data in the due diligence process. 

Some of the questions that may be asked in relation to Data DD are:

  • Are data protection systems, policies and training in place?

  • Does the target have a privacy policy?

  • Has the target been involved in a data breach?

  • Have hackers attacked the systems?

  • Has there been any complaints made to the ICO? 

  • Has the target complied with the GDPR or any previous data protection law such as the Data Protection Act 1998?

  • Does the target have adequate insurance in place in the event of a data breach?

  • Are there any data related disputes / litigation?

The above list is not exhaustive and is illustrative of just some of the issues to consider.

Some issues may be addressed as part of the due diligence process and others will required action following the acquisition of the target.

The ICO decision regarding Marriott highlights the importance of data DD when purchasing a target business.

To read more about the intention to fine Marriott, you can read my previous blog here.

Share this