306

Buying and selling businesses can create some

difficult data protection issues. How can the seller,

for example, disclose employee and customer

information to prospective buyers for due diligence

purposes without breaching the Data Protection

Act? To what extent can customer data collected by

the seller be used by the buyer for new or different

purposes going forward? Similar issues arise in

outsourcing transactions where the outsourcing

service provider may want access to employee or

other data to conduct due diligence. In this article,

we examine the key data protection rules and

identify pragmatic solutions to manage these risks.

A. Data protection – scopeThe Data Protection Act 1998 regulates “personal

data”. Personal data is defined broadly as:

data which relate to a living individual whocan be identified:

(a) from those data, or

(b) from those data and other informationwhich is in the possession of, or is likely to comeinto the possession of, the data controller;

and includes any expression of opinion aboutthe individual and any indication of the intentionsof the data controller or any other person inrespect of the individual.

The Court of Appeal has recently sought to

limit the scope of this broad definition in the case

of Durant v Financial Services Authority so that

“personal data” only covers information which is

biographical in a significant sense and has the data

subject as its focus. However, in practice, much of

the information that a seller would want to

disclose as part of, for example, a due diligence

exercise would probably be caught by either

version of the “personal data” definition. On this

score the Durant case may not make much

difference in the context of business transfers.

However, the Court of Appeal also reduced the

scope of manual files which are caught by the Data

Protection Act. In future, manual files will

probably only be caught by the Data Protection

Act where they are sub-divided to allow the

searcher to go straight to a particular category of

information to retrieve particular information.

Thus, if the seller of a business proposes to

disclose manual filing systems to prospective

purchasers, the new Court of Appeal rules may

help in limiting the scope of data protection risk.

B. Data protection – the legalrulesThe Data Protection Act 1998 imposes two key

requirements which are applicable to business sales:

� Data controllers must ensure that data subjects

(for example, employees/retail customers) are

first given the “fair processing information”;

� Data controllers must ensure that any

disclosure of personal data complies with

� One of the “gateway conditions” set out

in Schedule 2 to the Data Protection Act, and

� In the case of sensitive personal data,

one of the additional conditions set out in

Schedule 3 to the Data Protection Act.

We examine each of these requirements below.

C. Fair processing informationThe obligation to provide “fair processing

information” is contained in the First Principle of

the Data Protection Act 1998. This requires the

following information to be provided to the data

subjects (for example, the relevant employees,

retail customers or individual suppliers):

� The identity of the data controller (i.e. the

name of the seller and any other party who

will be granted access to the personal data);

� The purpose or purposes for which the data are

intended to be processed (for example, for due

diligence review);

� Any further information which is necessary to

enable the processing in respect of the data

subject to be fair (for example, any special or

unusual circumstances would need to be spelt

out clearly to the data subject).

Clearly, it will often be highly unattractive and

indeed impractical for the seller of a business to

tell all its employees, retail customers and

individual suppliers that it is considering selling.

Indeed, in order to fully comply, the seller would

also need to disclose the identity of each of the

Data protection

Data protection and business sales – risks andsolutions?Nick Graham, Denton Wilde Sapte, London

Computer Law & Security Report Vol. 20 no. 4 2004 ISSN 0267 3649/04 © 2004 Elsevier Science Ltd. All rights reserved

307

prospective buyers to these individuals. There are

two possible solutions to this issue:

� Firstly, the “fair processing” rules do not apply

where the relevant personal data is obtained

from someone other than the data subject and

compliance with the “fair processing” rules

would involve a “disproportionate effort”.

This, in principle, could help prospective

buyers who obtain personal information about

employees or customers from the seller.

“Disproportionate effort” is not defined in the

Data Protection Act. Guidance from the

Information Commissioner suggests that the

fact that a data controller has to expend a

substantial amount of effort or cost in

providing the information does not necessarily

mean that he can rely on the

“disproportionate effort” exemption. In

practice, it is difficult to see how sending, for

example, a round robin e-mail to all relevant

employees or customers could involve

“disproportionate effort”. This assumes email

addresses are available. In any event, this

solution will not help the seller of the business

who acquired the personal information from

the relevant data subject.

� Secondly, the seller could anonymise the

relevant personal information. In the case of

employee information, for example, the seller

could remove individual names and job titles

and provide the remaining information to

prospective buyers in redacted form. This, in

principle, takes the information outside the

scope of the Data Protection Act and therefore

avoids the obligation to provide the “fair

processing” information. It is also regarded as

good practice by the Information

Commissioner as it minimises the amount of

information being disclosed.

It is worth bearing in mind, however, that

anonymising personal data is easier said than

done. Guidance from the Information

Commissioner also suggests that if a data

controller, having stripped out personal identifiers

so as to create an “anonymised” set of data,

retains the original data set, the data controller

will still be able to identify particular individuals

from the so-called “anonymised” data set which

will remain personal data in the hands of that

data controller. In any event, there is a residual

risk that removal of, for example, names and job

titles from employee information may not prevent

identification of particular individuals. If the pool

of data is relatively small or relates to, for

example, senior management it may be obvious

that the information relates to particular

individuals. Anonymisation, therefore, reduces the

data protection risk but does not exclude it.

D. The “gateway conditions”The Data Protection Act also requires all

processing of personal data to comply with the

“gateway conditions”. These conditions generally

require the data controller to obtain the consent

(or, in the case of sensitive personal data,1 explicit

consent) of the data subjects. The term “consent”

is defined in the Data Protection Directive

95/46/EC as:

Any freely given specific and informed

indication of [the data subject’s] wishes by which

[he].. signifies his agreement to personal data

relating to him being processed.

Needless to say, it will be highly unattractive

for a seller of a business to obtain the consent of,

for example, all relevant employees, customers and

suppliers to the disclosure of their information to

prospective buyers for due diligence purposes.

Indeed, unless 100% of the consents are obtained

in accordance with the requirements of the Data

Protection Act, there is a residual non-compliance

risk in any event. The potential solutions to this

issue are as follows:

� There are a number of alternative “gateway

conditions” which, for example, a seller may

be able to rely on. In particular, a seller can

disclose information to prospective buyers

where the disclosure is:

“necessary for the purposes of legitimate

interests pursued by …..[the seller]…. or by

the third party or parties to whom the data

are disclosed, except where the processing is

unwarranted in any particular case by reason

of prejudice to the rights and freedoms or

legitimate interests of the data subject”.

This, in principle, will often permit the

disclosure of personal information to

prospective buyers. It may also permit the

disclosure of information in the context of an

outsourcing service contract where the

prospective bidders want to access, for

example, employee information for due

diligence purposes. The question as to whether

the above condition can be relied on in any

particular case will, of course, depend on the

particular facts. In particular, a balance has to

be struck between the legitimate interests of

the data controller and those of the relevant

Data protection

Anonymising

personal data is

easier said than

done

308

data subjects. However, it will generally help to

take the following further precautions:

� Information should only be disclosed

under the terms of suitable confidentiality

agreements;

� Information should only be used for

permitted purposes;

� Logical and physical access and security

restrictions should be put in place to protect

the information;

� Consideration should be given to

whether the information should be returned or

destroyed in due course.

� The alternative solution is for the data

controller to anonymise the personal data so

as to take the whole issue outside the scope of

the Data Protection Act. Although this, in

principle, avoids the obligation to comply with

the “gateway conditions”, true anonymisation

is, as explained above, difficult to achieve in

practice. Data controllers often, therefore,

adopt a two tier approach under which suitable

confidentiality agreements are put in place and

personal information is anonymised insofar as

possible to reduce and/or exclude the risks.

E. Sensitive personal dataThe Data Protection Act imposes stricter

obligations in relation to sensitive personal data

such as health or sickness records. In practice, the

Data Protection Act usually only permits the

disclosure of sensitive personal data:

� With the explicit consent of the relevant data

subject; or

� Where the disclosure is necessary for the

purposes of establishing, exercising or

defending legal rights (for example, where the

seller is legally obliged to disclose the

information).

There are other conditions but they are

unlikely to apply here.

There may be limited circumstances in which

there is a legal obligation on, for example, the

seller of a business to disclose personal

information to a buyer. However, this is unlikely

to apply in the context of, for example, a due

diligence exercise. Again, it will be highly

unattractive to obtain the explicit consent of

individual data subjects to the disclosure of their

sensitive personal data. One possible alternative

solution is to anonymise the sensitive personal

data or, indeed, to consider whether disclosure is

strictly required. For example, does a prospective

buyer of the business really need to have full access

to all health/sickness records for the purposes of

its due diligence? If not, then they should not

form part of this exercise.

F. Leveraging the customerdatabaseOnce the due diligence is over and the deal

proceeds to completion, the buyer will want to

integrate the seller’s CRM database with its own.

After all, customer databases are often a key driver

for merger and acquisition activity. In order to do

this (and, indeed, in order to establish the value of

a CRM database as part of due diligence) buyers

need to undertake a careful data protection audit

of any legacy mailing lists and CRM databases.

Guidance published by the Information

Commissioner (and tucked away in some website

FAQs dated 26th June 2001) establishes the

following points:

� So long as individuals were not led to believe

that their data would never be disclosed, the

new owner in effect takes over the existing

business and can continue to use the personal

data in substantially the same way as

previously;

� Individuals should be told of the change of

ownership and have an opportunity to object

to the new owner holding their details;

� Information should not be disclosed to, for

example, a buyer, where the relevant

individuals had previously been assured that

their personal information would not be

disclosed;

� If the buyer of a business wants to use personal

information for markedly different purposes

than for the purposes for which it was

originally collected, this will require refresher

consents from the relevant individuals.

It is therefore of crucial importance that the

buyer of a business undertakes an audit, as part of

its due diligence, of, for example, customer

information held by the seller, the way in which

this information was collected and the scope of

existing consents. If existing consents do not cover

intended direct marketing activities and/or data

sharing, this may impact the value of the database

and therefore the overall price.

The above rules are of particular significance

in the context of business sales/purchases. In the

case of share sales/purchases, it may be that the

same data controller will continue to use the same

database going forward and so, in principle, there

Data protection

309

is no disclosure of personal data from one entity

to another. However, in practice, many share deals

envisage the transfer of assets (including customer

database) from the target company to another

group company and/or leveraging the customer

database across the buyer’s group which therefore

involves a disclosure of personal data to other

buyer group companies.

G. Data protection breach – is itworth the risk?In a word, “No”. A breach of any provision of the

Data Protection Act will expose a data controller

to enforcement action by the Information

Commissioner. The Commissioner may issue an

Enforcement Notice (requiring the data controller

to do or not do certain things so as to ensure

compliance with the Data Protection Act). Breach

of an Enforcement Notice is a criminal offence for

which the data controller is liable. This may also

expose directors, managers and other officers of

the data controller to personal liability. If

individuals suffer damage (or damage and

distress), they may claim compensation from the

data controller. In addition, data controllers

should be aware of the reputational risk of being

prosecuted under the Data Protection Act or of

adverse publicity in the press.

Different enforcement regimes will also apply

in different member states of the European Union.

Other Commissioners may take a more proactive

approach to enforcement than in the UK – for

example, the Spanish authorities are funded by the

fines they impose for data protection breaches: an

obvious incentive to prosecute!

H. NotificationAll processing of personal data in the UK must be

notified to the Information Commissioner. This

involves completing a form so as to describe, in

broad terms, the processing of personal data

undertaken by the relevant data controller. Any

processing of personal data without or outside the

parameters of a notification entry is a strict

liability criminal offence which, again, exposes

directors, managers and other officers to personal

liability. Notification entries should be checked

and, if necessary, updated prior to the disclosure of

information as part of a due diligence exercise or

on completion of the sale of a business. In the case

of share sales, it may not be necessary to update

the notification entry if the identity of the data

controller has not changed. Nevertheless, the

notification entry should be checked to ensure it

remains accurate.

I. ConclusionThe Data Protection Act imposes rigid

requirements on the way in which personal

information can be used and disclosed. These rules

do not always lend themselves to the practical

reality of a due diligence exercise or the sale of a

business. In practice, therefore, data controllers are

advised to undertake a data audit in order to

identify the risks sooner rather than later. These

risks can, to some extent, be managed by

anonymising the data and putting suitable

confidentiality agreements in place. Buyers of

businesses also need clarity on the ways in which

they can use CRM databases after completion

which, in turn, may impact the overall price. A

balance therefore has to be struck between the

strict requirements of the Data Protection Act and

the drivers for corporate and commercial

transactions.

Nick Graham, Report Correspondent, Senior

Solicitor Information and Privacy Group, Denton

Wilde Sapte, London

Email: nick.graham@dentonwildesapte.com

FOOTNOTES

1 Sensitive personal data means personal data consistingof information as to the racial or ethnic origin of thedata subject, his political opinions, his religious beliefs orbeliefs of a similar nature, whether he is a member of atrade union, his physical or mental health or condition,his sexual life, the commission or alleged commission byhim of any offence or any proceedings for any offencecommitted or alleged to have been committed by him,the disposal of such proceedings or the sentence of anycourt in such proceedings.

Data protection

The Data

Protection Act

imposes rigid

requirements on

the way in which

personal

information can

be used and

disclosed