The General Data Protection Regulation or GDPR is an EU legislation dealing with the collection, storage handling and transfer of personal information which came into effect on the 25th of May 2018. In this episode, we take a particular look at how this new legislation affects business sales and acquisitions in Australia.
- What is the GDPR?
- GDPR versus the Australian Privacy Act framework
- size of business covered
- level of prescription
- right to be forgotten
- express consent
- GDPR and M&A transactions
- Risks for buyers
- Risks for sellers
What is the GDPR?
Joanna: So let’s talk GDPR, Liz. So this is a newly introduced legislation obviously not in Australia but in the EU. I don’t know how much our listeners know about the GDPR. So I guess we may as well start from the basics, Liz. How about you give us a quick overview of what the GDPR is and when it came into effect which was very recently in May.
Liz: Yes, so the GDPR which stands for the General Data Protection Regulation was established in the EU and came into effect on the 25th of May 2018. I think it had been in the works for a couple of years but obviously being in Australia and working with mostly local businesses it’s not something that is at front of mind or at the top of our radar. But certainly, 25th of May came upon us all very suddenly and we are now finding that many of our clients are scrambling to work out how the GDPR might affect their business.
Joanna: Yeah it’s funny isn’t it? I recall this with a number of recent legislation introductions as well. You know when we had the Privacy Act overhaul and when the PPSR came into play, I recall that you know us as lawyers are trying to talk to the community about this legislation but businesses just weren’t interested until almost the eve of the legislation and GDPR is funny in that probably all of the Australian community including the lawyers hadn’t really been talking about it much until basically that eve of the 25th of May 2018 when suddenly we all woke up to the fact that actually it’s just on our doorstep. Perhaps we all better start thinking seriously about it now even though we’re all the way over here in Australia. I guess that’s the reason that everyone put it on the backburner or perhaps didn’t even realise that it was relevant. Obviously, it’s not Australian legislation. It’s EU legislation.
Liz: That’s right. And it doesn’t even really necessarily affect Australian residents. It deals with the collection storage handling, its transfer of personal information that relates to EU citizens or a person located in the EU or if somehow the services are involved relate to the monitoring of the behaviour of someone in the EU.
Joanna: Yeah. And so I guess that’s where we say okay well it’s about you know here of course today we’re not talking generically about the GDPR. We’re talking specifically in relation to M&A transactions. But I think it’s well worth repeating what you’re saying here which is you know it’s only relevant to the extent that organisations have customer databases or perhaps marketing databases as well in the EU or perhaps the extent to which they are a supplier of EU based organisations who might then require that organisation to be GDPR compliant.
Liz: The risk of non-compliance is huge because the penalties are quite considerable, up to 20 million euros.
Joanna: Or four percent of revenue.
Liz: Yes, correct. For many organizations who are heavily based on analyzing or processing data, rather than try to figure out whether or not they have EU citizens or persons located in EU in their database, they are working on the basis that it probably applies and therefore they are just now implementing processes to comply not knowing whether or not they actually have to comply.
The GDPR versus the Australian Privacy Act framework
Size of business covered
Joanna: Yeah. How about we start off by talking a little bit about why the GDPR is different to the Australian Privacy framework. I guess it’s probably relevant to point out the first major difference is that in Australia, the Privacy Act only applies to organisations with turnover of greater than 3 million or who are otherwise captured because they deal with specific types of sensitive personal information so say for example, health services providers, gyms – those sorts of organisations. Whereas in the GDPR, it covers small businesses as well as large businesses. So from my perspective that’s one thing that is perhaps one of the biggest differences. Liz, what else are we seeing here in terms of the differences that you think we should be talking about?
Degree of prescription
Liz: Yeah. They got this concept of data controls, data processes, very prescriptive about that and where someone is a data controller, they have to enter into an agreement, a data processing agreement with the data processor and that data processing agreement must contain elements which the GDPR prescribes specifically. So it’s very prescriptive in that sense and we don’t have that under the privacy legislation, not the prescription to that extent.
Joanna: How about in future episodes, Liz we come back and we talk maybe about what the practical implications of some of these things are here but I guess without pulling up too much of our time in these basics, what else are you seeing here that’s a difference.
Right to be forgotten
Liz: One of the key rights that individuals have under the GDPR is the right to be forgotten. Right now they can ask to unsubscribe under the Australian Spam Act but under the GDPR, they can say erase all records of me completely, which is quite extensive and so businesses need to technically be ready to comply with that.
Joanna: Have their systems in place as well. Yeah. Okay. And what else are we seeing there?
Liz: And under GDPR, the data processes must implement appropriate technical and organizational security measures. So there’s quite extensive technical requirements that the organisation has to implement in order to comply with the GDPR. I think that technically the I.T. specialists here in Australia have to work out ways to comply.
Joanna: And I guess probably that last area of major difference relates to the express consent because the consent that has been gained to date probably isn’t the consent that is actually now required under this new legislation.
Liz: Yes that’s correct. Under the Australian Privacy laws, you could rely on implied consent. But the GDPR, you can no longer do that. So in order to properly comply with the GDPR, organisations would have to go through the whole process of seeking express consent and you can see some organisations do that, the larger ones. The rate at which they’re receiving express consent, I’d hate to ask.
GDPR and M&A transactions
Joanna: And I guess certainly larger organisations who have geared themselves up for the Privacy Act in Australia will obviously be a lot closer to compliance than organisations who have just not even thought about compliance with Australian Privacy laws let alone what the GDPR might might have in terms of impact for them. But let’s now look specifically at the relevance of the GDPR on M&A transactions right here in Australia. Some people might think, well how is EU legislation relevant to mergers and acquisitions happening here in Australia. Maybe let’s dig into that a little bit now.
Liz: Yeah. So I think the reality is a lot of businesses trade on cross-border basis, especially information based services, online type services. They find themselves having customers who are based in other parts of the world.
Joanna: And sometimes if they’re not good providers, they may not even know where their customers are absolutely based. I guess that’s the reality of some internet based organizations as well.
Liz: That’s very true. And therefore, if you’re buying or selling a business that is not involved in selling goods specifically but you’re selling services and information, you could well be caught.
Risk for buyers
Joanna: Yeah and so I guess he was saying that maybe it’s maybe what we should do is breakdown. Let’s talk about what the risks are for buyers. Let’s talk about what the risks are for sellers.
I guess for buyers, it’s about being able to identify whether or not there is a GDPR risk or lack of legal coverage in a business that they’re buying. So it’s about analyzing to a degree the extent to which the customer base is or may be based in the EU i.e. triggering the GDPR legislation. And so practically Liz what’s your thoughts on the actual practical steps that might now be relevant and the practical impacts for buyers in this environment?
Liz: So for buyers, before buying a business, they’ve got to do their due diligence. They’ve got to think about whether the business is likely to have a database that comprises of personal information belonging to an EU citizen or someone located in the EU, that they’ve got to understand exactly who the customers are of the business.
Joanna: Yeah. And sometimes that can be hard because sometimes organizations don’t want to give over everything in the due diligence process in relation to the customer databases. So here we’ll now need maybe a bit more extended detail than perhaps we used to have in the past in terms of inquiring exactly who is in the customer database and moving on from that, another impact will probably be the warranties and indemnities that will now be looking to get protection or to provide protection for the buyer to the extent that the seller may not have been across all of these issues.
Liz: That’s right. So there are various compliance issues there. Is the seller’s systems compliant to the GDPR? Has the seller obtained the necessary consents in relation to the individuals whose details comprise in the database? They’ve got to understand that the buyers, they now need to add those inquiries onto their due diligence list.
Risk for sellers
Joanna: So there’s quite a bit for buyer to be thinking about. What about sellers? Maybe we should give a bit of a rundown for sellers in terms of what they should be thinking about in terms of preparing themselves for a sale. Because I think one of the most important things that we talk about again and again is the importance of an organization to get itself clean prior to hitting the market so that when the due diligence process is started the buyer isn’t getting surprises. And indeed the seller isn’t getting surprises of someone else telling them issues, risks that they haven’t thought about.
Liz: Exactly right. So from a seller’s perspective, that they need to know whose information they’re actually collecting and the likelihood of them collecting information from people who are likely to be based in EU or are EU citizens.
For example, a recruitment business. If you own a recruitment business and you want to sell it, you can reasonably expect that in your recruitment database of CVs you probably will have CVs of individuals from EU if say you’re in the financial services industry or in the IT industry. Maybe not if you’re a blue collar worker sort of recruitment company and you’re hiring laborers. But then again you never know.
Joanna: And isn’t that interesting that potential risks lie for businesses who may not even think that they are transacting with an EU and once again I briefly mentioned earlier but I guess the other thing for organisations to think about is there’s a lot of organisations who are suppliers to organisations in the EU so it’s not just about where your customer database.
And I guess the other relevant consideration is where organisations may not perhaps have a customer database in the EU but may have other contractual reasons why they need to comply with the GDPR.
For example we’ve certainly seen in our client base that there is a number of organisations who, whilst they don’t have clients in the EU, have had contracting parties now adding clauses within their agreements together that require that they, even though they’re based here in Australia, comply with the GDPR. Because of the stringency of the GDPR legislation, there are many contracts even outside of the EU that I think might be impacted by this so I guess that’s another way that organisations here in Australia can be caught up even if they don’t have a connection with their clients in the EU.
Liz: Yeah absolutely. Buyers need to consider whether they will be transferring personal data after completion happens. If a buyer wants to move the database of the business to a different jurisdiction for example, they’ve got to consider GDPR requirements in relation to the transfer of that data. Again I think consent comes in to fix it. Consent is definitely a big thing now with the prevalence of GDPR.
Joanna: Yeah. And as we said before, the consent even where you may have received express consent in the past or the selling organization may have received express consent in the past, we’re now going to have to dig further and check that that express consent was sufficient for the purposes of this legislation and extensive enough.
Disclaimer: The material contained on this website is provided for general information purposes only and does not constitute legal advice. You should not depend upon any information appearing on this website without seeking legal advice. We do not guarantee that the contents of this website will be accurate, complete or up-to-date. Liability limited by a scheme approved under Professional Standards Legislation