Building a business? 4 data protection questions you have to ask
When you’re building a new business, you have a lot of tasks to look after. One important detail that requires your attention – but often gets overlooked – is the protection of personal data. If you’re purchasing a company from another owner, you have to know how to handle the personal data that comes with the business.
When you’re merging with or acquiring a new business, keep these four questions in mind:
- Does the current owner have the right to transfer the data?
- Do you have the right to use the data?
- What are the potential liabilities?
- Are data protection measures in place for the transaction process?
Let’s explore each question in more detail and see what the possible implications would be for each one.
Does the current owner have the right to transfer the data?
The first thing you should look into concerning personal data is whether the current owner has the right to transfer the personal data the business has collected. Before the GDPR, most businesses thought they could use the data of customers, employees, and stakeholders however they chose once they collected it. However, the GDPR has affirmed that personal data remains the property of the data subjects. Therefore, businesses cannot transfer this data without some restrictions in place.
Ask yourself the following questions concerning the transfer of the data:
- Does the current business owner’s privacy policies cover selling the business and change of ownership?
- Is the consent that data subjects have provided transferable to you when you purchase the business?
- Is the seller processing data on behalf of a third party and if so, do the data-sharing agreements allow for change of ownership or control?
- It’s possible that the privacy policies don’t allow a change in ownership and therefore would no longer apply.
Do you have the right to use the data?
Even if the previous owner has the right to transfer the data to you, do you have the right to use it how you want? There will be restrictions on its use which you should take the time to understand.
Firstly, consider if you plan to use the data for the same purposes as the original owner. If not, you need to ensure you have a lawful basis for processing the data.
Also, determine whether consent is used as the lawful basis for the previous owner’s collection of the data. If it is, check that the consent is transferable. You may have to renew consent of the data subjects before you can use their data, which may require contacting them before the sale is complete. In this case, the seller may have to reach out to data subjects to renew their consent.
Finally, ask yourself where you plan to store the data and who you will share it with, if you plan to share it. If you don’t store the data in the EU, you can either choose a country considered adequate by the European Commission or set up a lawful transfer mechanism. You will need to have data sharing agreements in place, and you may be able to legally re-assign existing agreements if necessary.
What are the potential liabilities?
As a new business owner, you must understand your liabilities, especially concerning personal data. Conducting an audit of the previous owner’s data landscape and processes will help you understand what you need to do moving forward.
A thorough audit will include some of the following considerations:
- Previous data breaches
- Whether the data is catalogued and mapped accurately
- Compete and updated Records of Processing Activities
- Completed DPIAs for high-risk data sets
- Whether there are comprehensive consent records
- Who the data has been shared with and if those processors have handled it properly
- Whether the business obtained data lawfully and fairly
- Outstanding responses to individuals’ rights requests
- Outstanding claims or investigations regarding data protection
If you want to make a reasoned assessment of your liabilities, you must understand to what extent the previous business owner complied with data protection regulations.
Are data protection measures in place for the transaction process?
The final data protection question to consider when building a business is how you manage personal data during the transaction process. You, the seller, and your advisors will have access to the data throughout the process, so you must ensure the right protection is in place.
Include robust data protection clauses in your non-disclosure agreements and put data-sharing agreements in place as necessary. Also, update the privacy policies to state that some data may be used during the acquisition process. Keep the Record of Processing Activities up to date as well, and restrict access to the room where the data is kept.
Data protection when building a business
Many new business owners overlook data protection because processing it can be technically complex. However, it’s essential that you take the right steps to keep your personal data safe. Your business could benefit from the expertise of an outsourced data protection officer, who can ensure you remain compliant during the purchase of a new business. Protecting personal data keeps you compliant with data regulations and provides enormous value to your new business.