With the one-year grace period for compliance with the Protection of Personal Information Act (POPI) ending on 30 June 2021, it’s difficult to think about anything outside of your own organisation’s compliance (well at least for us compliance fanatics that is). However, if you’re considering an M&A deal currently or in the future, POPI should definitely be at top of the list in terms of due diligence and integration.
Before considering the data protection compliance of the target company, you’ll need to consider what information you require from the target for due diligence purposes. No doubt you will be requiring data containing personal information of their staff, potentially their suppliers and their customers. This particularly rings true in South Africa, where POPI applies to personal information of juristic persons (e.g. companies) as well. One can then only hope that the target has included in their privacy notices to relevant data subjects that their information may be shared in the future for merger or corporate restructuring purposes. Updating the privacy notices could alert persons to the proposed transaction and so its key to ensure that your target’s ducks are in a row. It’s also important for post-merger integration purposes to make sure that the target’s privacy notices make provision for sharing information amongst group entities.
Apart from the usual due diligence aspects on a target, running a POPI compliance due diligence will become part and parcel of any acquisition going forward. POPI due diligence investigations should cover, amongst other things, whether the targets’ privacy notices are compliant and cover all personal information of all of their data subjects, whether the target has the correct consent mechanisms in place in instances where consent of the data subject is required (e.g. direct marketing via electronic means), whether the target has in place the required contractual measures with operators processing personal information on their behalf, what policies and procedures they have in place regarding document retention and destruction, IT security as well as data breaches.
Further considerations include the technical measures in place to ensure protection of personal information, particularly around security of your target’s systems and whether any breaches have previously occurred. Just ask Marriot Hotels, who last year were fined an impressive GBP18.4million by the UK Information Commissioner Office for failing to keep customer data secure. The breach occurred by way of a cyber-attack of Starwood Hotel and Resorts Worldwide in 2014, which was prior to Marriot Hotels acquiring Starwood, but remained undetected until 2018, hence Marriot being fined. Marriot is also now facing a class action lawsuit by individuals affected.
It is clear that when considering an M&A deal, engaging a data protection specialist at the outset – and even prior to the due diligence phase – is paramount. At Caveat we offer a number of bespoke data protection services to businesses, including those entering into mergers or acquisitions, available to view here.
Louella has a BA LLB (University of Cape Town) as well as a Certificate in Competition Law (University of the Witwatersrand). She was admitted as an attorney in 2010 after completing her articles at Werksmans Attorneys. In 2012, Louella relocated to the United Kingdom where she worked for two multi-nationals as in-house legal counsel – LSE listed hotel group PPHE Hotel Group (Park Plaza and art’otel) and FTSE 100 travel group TUI Travel. Louella joined Caveat Legal in 2017 focusing on data protection work.
For interviews or further information, contact Yvonne Wakefield at Caveat Legal email@example.com and +27 83 275 2971
Caveat Legal is a legal consultancy with a team of specialised and experienced lawyers in a number of commercial fields of law: www.caveatlegal.com
Caveat Legal is an innovative legal service provider that makes Big Firm-quality legal work available to businesses without the bells and whistles (and costs) usually associated with it.
We achieve this by making our panel of 55 Top Tier lawyers available to consult to businesses – either remotely or in house – on a brief, retainer or secondment basis. Caveat was founded in 2011 and has established itself as a market leader, covering all of the commercial fields of law and servicing an impressive range of medium-sized and large businesses.
Find out more about how we can help your business navigate and understand matters pertaining to Commercial Law. We’ll make an experienced Panel Member available as your dedicated lawyer on call to discuss your requirements as we aim to find the right solution for your business.