With IT infrastructure and networks becoming increasingly complex, it is more challenging and time consuming than ever to separate systems and data sets of any given organisation. And with almost any business holding some form of data these days, this kind of complex operation is required in almost any kind of M&A transaction – not just traditional carve-outs.
Transacting parties often do not appreciate that it can take months to properly separate IT systems. Since a prolonged delay could become a dealbreaker, buyers and sellers often negotiate the provision of transitional services, with one party providing IT services and/or data access to the other until the IT systems of the target are entirely separated from the seller’s systems.
Antitrust and data protection requirements play a huge role when it comes to:
- the transfer of data to the target;
- the retention of data by the seller; and
- the exchange of data during and after the completion of a transaction.
For all three dynamics, one should consider to what extent and until when a separation is necessary. The best way to deal with this is to create a clear and consistent approach to data separation.
The top four antitrust and data protection questions
We often see antitrust and data protection restrictions becoming a stumbling block to achieving a smooth transition.
The four questions that are crucial in almost every transaction from an antitrust and data protection perspective are as follows:
- Will the seller become an actual or potential competitor of the target?
- Which data will be affected?
- From an antitrust perspective, the parties should assess whether the data that needs to be accessed might be competitively sensitive. Examples would include information on current orders/projects, prices or costs.
- From a data protection perspective, the parties should carefully determine to what extent personal data is affected. Typical examples of personal data are employee data (both HR data and employee communications, such as emails and chats) as well as data regarding individuals at customers and suppliers. One also needs to assess in more detail what kind of personal data is affected, including whether highly sensitive data, such as health data, is involved – in which case particularly strict requirements apply.
- Who will have access to the data and for what purposes?
- Whether or not access by the relevant individuals is necessary and, if so, for what purposes should be assessed on a case-by-case basis.
- The general rule is that, after the transaction completes, personal data (of the employees of the two businesses, for example) may not be transferred between or accessed by the two organisations unless necessary for contractual or legal obligations (eg for the performance of transitional services).
- What safeguards should be put in place?
- The staff who need and are permitted to access the data on this basis must be clearly identifiable and as limited as possible, to comply with both antitrust and data protection requirements. Data access should be logged where practicable.
- Depending on the data concerned, advisable safeguards may include having internal confidentiality obligations, ring-fencing the teams involved or having cooling-off periods before the staff involved can take on other responsibilities.
Data separation is sometimes considered as an ‘afterthought’. But data separation workstreams require significant resources and preparation. It is key to kick off these workstreams at the very beginning of a transaction to ensure completion is not only a success but also quick and legally compliant.
A useful rule of thumb is: data access should only be granted on a 'need to know' basis – the less data is shared by both sides, the better.