The Global Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This regulation created by the European Union defines the rights of a person concerning the collection, use, and transfer of personal data. To be within the jurisdiction of GDPR, the person needs to be a resident of a EU country.
So if you are sitting here in the good ole US of A, you may be thinking this doesn’t concern you. After all, you work for a US-based company. You are considering selling your company and this seems like a distraction. What could possibly be the impact, especially on my future M&A plans?
Let’s answer the last question first. The fines that could be levied against your company for not complying with GDPR could be as high as EUR 20 million or up to 4% of the total worldwide annual sales volume, whichever is higher. Imagine going into the due diligence part of the M&A process to have your buyer find out your revenues could be 4% lower or they could be on the hook for 20 million euros after the sale closes. That is not a situation you would likely want to be in.
GDPR covers any company that collects personal data on EU residents regardless of where that company is located or where the data is stored. Personal data starts with names and addresses and then extends to photos on social media sites, IP addresses for your computer, and almost anything that can lead someone back to an individual’s identity. The full details of GDPR are beyond the scope of this article, but I hope you are getting the idea that this regulation is wide-ranging and important.
What should you do? If you have not done an assessment of your GDPR exposure and have not begun to implement the steps necessary to comply, start now. If you are in an M&A process or contemplating starting a process in the near future, this can become critical quickly. Your customer acquisition processes, email marketing systems, customer service applications, and many other parts of your business may be impacted. During due diligence, be prepared to show your plans for compliance. If you are on the buy-side of a transaction, add this to your checklist.
GDPR can have a positive impact on how you interact with your customers. It need not and should not be considered another annoying piece of regulation. People are becoming aware of the importance of how their personal information is used. At a minimum, don’t let GDPR hold up the sale of your company. Rather, show your acquirer that you are serious about how you deal with your customers. After all, those customers are one of your most precious assets. Those customers are the reason your company exists.
Want to learn more about how GDPR can impact your M&A activities? Contact SiVal Advisors. We will be happy to share what we know and how we can help you.