Data sharing code expands ICO's views on M&A data due diligence

Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law, said the ICO's new data sharing code of practice provides further details of the authority's expectations and should be read alongside comments it made on the topic in the context of a major data breach by hotel chain Marriott International.

On 30 October 2020, the ICO imposed an £18.4 million fine on Marriott after it found that the company had breached data protection law in the way it protected customer data. An estimated 339 million hotel guests had their data compromised in a cyber attack that went undetected for approximately four years. The company had announced in November 2018 that it had identified that there had been "unauthorised access" to one of its databases since 2014 following a cyber incident. The database was one that was added to Marriott's IT estate when it acquired the Starwood business in 2016.

In the monetary penalty notice it issued, the ICO said that "there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover".

The ICO made clear that its findings of infringement and associated fine only concerned failings it deemed the company responsible for from the point after which the General Data Protection Regulation (GDPR) began to take effect, on 25 May 2018. It did not make any findings in respect of the period between Marriott's acquisition of Starwood and the GDPR entry into force date.

The ICO added that it had "not determined whether or not it was possible for Marriott to conduct due diligence during a takeover" – Marriott had claimed that it was "only able to carry out limited due diligence on the Starwood data processing systems and databases" during the acquisition process, according to the ICO's notice.

Wynn said: "The financial services sector will welcome the ICO reaching such a pragmatic conclusion. At the due diligence stage, an organisation can only get a general sense of the information provided but cannot make a full assessment of whether those measures have been effectively implemented and thereafter complied with. It is not until post completion that an organisation can truly look 'under the bonnet' from a GDPR compliance perspective."

According to Wynn, however, the ICO's decision in the Marriott case confirms that, after corporate transactions complete, organisations must be accountable for the personal data they hold. She said it is vital for banks, insurers and other financial institutions, particularly at a time when many may be exploring M&A deals as a means by which to access the latest digital technologies, to conduct a full GDPR compliance gap analysis immediately after completion.

"When assessing a target, if the buyer cannot ascertain a high level of GDPR compliance, it will need to plan for conducting a GDPR gap analysis," Wynn said. "This can be a resource intensive exercise, with costs incurred in carrying out not only the GDPR gap analysis itself but also the remediation measures that may flow from that analysis. Examples could include procuring new technology if vulnerabilities are found in the IT system. Therefore, sellers should consider this cost as part of the price for the target and the post completion activity."

Further detail of the ICO's expectations on data-related due diligence in the context of M&A deals is set out in its new data sharing code of practice.

"If a merger or acquisition or other change in organisational structure means that you have to transfer data to a different or additional controller, you must consider data sharing as part of the due diligence you carry out when taking on the organisation and its obligations," the code states. "This includes establishing the purposes for which the data was originally obtained, your lawful basis for sharing it, and whether these have changed following the merger or acquisition."

As with the Marriott case, however, the ICO has recognised in its code that managing data in the immediate aftermath of a change in controller brings practical challenges. It said that, during this period, it is "particularly important … to consider the governance and accountability requirements of the GDPR".

Wynn said: "Organisations should ensure that there is sound governance, accountability and security arrangements relating to the GDPR in place by way of ensuring that the security measures are appropriate relative to the data processing taking place, that data records are accurate and up to date, and that there are consistent data protection practices across the group."

"This means that post-completion, by way of an example, the buyer will need to ensure that the target has a data retention policy relating to the period of retention of data and assess whether these periods are appropriate and/or align with the buyer's own data retention procedures. The buyer should then question the effectiveness of the data retention policy and, if found to be ineffective, put in place remediation measures," she said.