When you’re building a new business, you have many details to keep in mind. One aspect of acquiring or starting a new business that’s often overlooked is how to handle personal data collected from customers, clients, suppliers, and employees. Especially when you’re purchasing a business from another owner, data protection is a top concern.
What tips should you keep in mind concerning personal data as you build your new business?
Check if the seller has the right to transfer personal data
In the past, business owners could assume that they owned all the personal data they collected. They were free to use the data for marketing purposes or profit from it in another way. Since the GDPR was enacted, however, it’s become clear that data subjects are the owners of their personal data, not businesses. Business owners can no longer use or transfer this data however they want.
When you’re purchasing a business, look into whether the seller can lawfully transfer personal data. Check their privacy policy to see if it allows for the sale of the business and a change of ownership.
Also, determine whether the consent given by data subjects can be lawfully transferred, or if you’ll have to get their consent again when you take the business over.
Finally, see whether the seller is processing data on behalf of a third party, and if the data sharing agreements covering those processes allow for sale or transfer of ownership.
Check that you have the right to use the data
If you determine that the seller has the right to transfer the data, that doesn’t necessarily mean that you, as the new business owner, have the right to use it. There may be restrictions on exactly how you can use the data, which you should look into before starting up your business.
To know if you can use the personal data you’ve acquired along with the business, ask yourself what you plan to do with the data. Will you use it for the same purpose as the previous owner? If not, you will have to find a lawful basis to continue processing it.
Also, if the lawful basis for processing the personal data is consent from data subjects, you must ensure that their consent is transferable. If it isn’t, then you need to renew the consent from data subjects before continuing to process the data.
Furthermore, think about where you will store and process the personal data, and who else you will share it with. If you store and process personal data outside of the EU, it needs to be in a country that the European Commission considers adequate.
Understand potential liabilities
If the acquisition of a new business involves taking on the seller’s liabilities, then you must know what they are concerning personal data. You need to know what the previous business owner’s level of compliance was and conduct a thorough audit of their data processing.
The audit should cover some of the following points:
- Accurate mapping and cataloguing of personal data
- Updated Records of Processing Activities
- Completed DPIAs for high-risk data sets
- Legitimate Interest Assessments if Legitimate Interest is the lawful basis for collecting data
- If the data has been obtained lawfully with transparent privacy and consent notices
- Comprehensive consent records
- How the data has been shared and if other processors have handled it appropriately
- Breaches
- Outstanding responses to individuals’ rights requests
- Outstanding claims or investigations concerning data protection
In a trade and asset sale, some liabilities can remain with the seller, in which case the seller needs to understand their responsibilities for compliance. A thorough audit will help you, as the new business owner, get a clear picture of liabilities and responsibilities related to personal data.
Consider the Transaction Process
Both you and the seller should consider the implications for personal data during the transaction process. How are you protecting data during the acquisition itself? To stay compliant, it’s important to look at non-disclosure agreements and ensure they have robust data protection clauses. You should also put data-sharing agreements between yourself, the seller, and your agents in place.
You will also need to update privacy policies to state that data can be shared for the merger and acquisition process. Moreover, the Record of Processing Activities should reflect the fact that personal data is being processed during the merger and acquisition activity.
Protecting Data as You Build a Business
Understanding data processing and your responsibilities as a new business owner to remain compliant are vital to building a business. Depending on the scale of your business, you may even need a data protection officer (DPO). Keep these tips in mind as you navigate the data landscape of your new business, and consider using outsourced DPO to ensure you’re compliant.
