The collection, use, commercialisation and transfer of data has grown exponentially during recent years and data has come into focus also in M&A-transactions. An increasing amount of transactional work evolves around data and the GDPR has put personal data questions on the top of many legal due diligence checklists.
The data explosion has changed, and will continue to change, the M&A deals we do and how we do them. More and more often, the data of the target is the key asset and the deal driver. The GDPR, providing supervisory authorities with extensive powers and involving risks of severe sanctions, has brought personal data and related GDPR compliance on the radar. In all transactions, regardless of the target’s business, the virtual data rooms have grown and the disclosure material has become more extensive, and performing due diligence manually is getting more challenging because of the large amounts of data under review.
Understanding the business and the use of the data
In deals where the data is an important or the most important asset of the target, it is paramount to understand whether the data can be used as intended post-closing and to identify any contractual or regulatory limits to the intended use or limits due to the collection of the data. Any hick-ups in the intended future use of data may threaten the entire deal as the commercial rationale falls away.
A comprehensive review of key data issues is almost impossible to undertake merely based on due diligence material, and should ideally be kicked off by interviewing target management to gain an understanding of the business and relevant data. Both the seller and the buyer must dig deep to identify any need for data licensing or other disclosing or separation of data in connection with the transaction.
Historical GDPR risks and showing compliance
Nowadays, privacy lawyers play an important role in M&A deal teams. The GDPR has forced focus on compliance with data protection laws, and even though no or very few targets can claim that they are fully GDPR compliant, it is highly important to identify risk areas and how these can be mitigated pre or post closing. Frequently, W&I insurance cannot be relied on to solve these types of issues, as data protection / GDPR exclusions are commonly seen in W&I insurance policies.
An important detail in showing compliance on the seller side is to think about the compliance of the due diligence process itself. This could entail making an effort in vetting VDR providers, especially their GDPR readiness; redacting personal data from the material; and ensuring that the target’s own privacy documentation allow the disclosure of personal data to a potential buyer.
Data rooms are growing – AI is on the rise
Data rooms are now larger than ever in size, and typically data rooms include thousands or tens of thousands of pages of legal documentation to be reviewed. The common view on the market is that AI and machine-learning technologies will have a transformative impact on M&A due diligence in the long term.
In Finland, widespread use of AI technologies is yet to be witnessed, but buyer requests to allow downloading of the data room materials for the purpose of utilising AI technologies are getting more common. The advantages of using AI technologies on the seller side in the compilation of the data room and in preparing vendor due diligence reports are obvious. My own prediction is that AI technologies will be used in all due diligence processes in some form within a couple of years.