Mastering GDPR Compliance: A Step-by-Step Guide to Transferring Employee Data in M&A
Mergers and acquisitions (M&A) are transformative moments for businesses, but they come with a critical responsibility: ensuring compliance with data protection laws, especially when transferring employees’ personal data. In the UK, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) set the standard, and mishandling employee data during an M&A can lead to hefty fines—up to £17.5 million or 4% of annual global turnover—plus reputational damage. The UK Information Commissioner’s Office (ICO) provides invaluable guidance, including detailed checklists under its “Employment Practices and Data Protection” resources (see ICO checklists here). In this article, I’ll walk you through a step-by-step guide to maintain GDPR compliance during M&A, drawing directly from the ICO’s recommendations.
Step 1: Conduct Due Diligence with Data in Mind
The ICO’s checklist for “Mergers and Acquisitions” emphasises early planning: “We consider information sharing as part of our due diligence” and “We establish what personal information we’re collecting and sharing with the buyer or new employer during the merger or acquisition”. Start by mapping all employee data involved—think payroll records, performance reviews, health information, and contact details. Identify what’s necessary to share for the M&A to proceed. Under GDPR Article 5(1)(c), data minimisation is key: only transfer what’s adequate, relevant, and limited to the purpose. Over-sharing risks breaches and unnecessary liability.
Action: Create a data inventory listing categories of employee data (e.g., names, addresses, disciplinary records) and assess its relevance to the transaction.
Step 2: Establish a Lawful Basis for Processing
Before transferring data, you need a legal grounding. The ICO checklist advises: “We identify an appropriate lawful basis (or bases) before we process workers’ personal information”. GDPR Article 6 offers six bases, but for M&A, common ones include:
For special category data (e.g., health records), GDPR Article 9 requires an additional condition, such as employment law obligations (DPA 2018, Schedule 1, Part 1). Document your basis clearly—ICO stresses accountability.
Action: Draft a justification statement (e.g., “Data shared under legitimate interests to ensure business continuity”) and review it with legal counsel.
Step 3: Inform Employees Transparently
Transparency is non-negotiable. The ICO checklist states: “We tell our workers what personal information we’re collecting and why we need it” and “We provide privacy information to our workers when transferring their information to the new employer”. GDPR Article 13 requires you to inform employees about the data transfer, its purpose, and their rights (e.g., access, erasure) before it happens. This could be via an updated privacy notice or a specific M&A communication.
Action: Issue a notice like: “As part of [M&A event], we’ll transfer [data types] to [new employer] to comply with TUPE and ensure a smooth transition. Contact [DPO] for questions or to exercise your rights.”
Step 4: Secure the Data Transfer
Security is paramount during transfer. The ICO checklist mandates: “We ensure personal information is transferred securely during the merger or acquisition”. GDPR Article 32 requires appropriate technical and organisational measures—think encryption, secure file transfers (e.g., SFTP), or password-protected documents. Avoid emailing unencrypted employee files; a breach here could spiral into a reportable incident.
Action: Use a secure data room or encrypted channels and log the transfer process for audit trails.
Step 5: Handle TUPE Requirements Carefully
If the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) apply, the ICO checklist aligns with legal duties: “We only share the minimum amount of personal information required under TUPE regulations unless we have another lawful basis for sharing more”. TUPE mandates sharing specific employee data (e.g., contracts, disciplinary records) with the new employer, but GDPR insists on proportionality. Resist the urge to dump all data—stick to what’s legally required unless justified.
Action: Cross-check shared data against TUPE’s Employee Liability Information list and redact irrelevant details (e.g., unrelated health records).
Step 6: Decide What to Retain Post-Transfer
Post-M&A, the original employer must decide what to keep. The ICO advises: “We consider what personal information we need to retain after the merger or acquisition” and “We securely dispose of any personal information we no longer need”. GDPR’s storage limitation principle (Article 5(1)(e)) means you can’t hoard data indefinitely. Retain only what’s necessary for legal obligations (e.g., tax records for 6 years) or legitimate interests (e.g., defending claims), then erase the rest.
Action: Set retention periods (e.g., “Payroll data: 6 years post-transfer”) and schedule secure deletion (e.g., shredding or digital wiping).
Step 7: Conduct a Data Protection Impact Assessment (DPIA)
For high-risk processing like M&A data transfers, the ICO checklist recommends: “Where necessary, we have completed a data protection impact assessment”. GDPR Article 35 mandates a DPIA if the transfer involves large-scale or sensitive data. This assesses risks (e.g., unauthorised access) and mitigations (e.g., encryption). It’s not always required, but it’s best practice for complex deals.
Action: Use the ICO’s DPIA template (available here) to document risks and controls.
Step 8: Document Everything
Accountability is a GDPR cornerstone. The ICO checklist insists: “We document our processing activities so we can demonstrate compliance with data protection law”. Record what data was transferred, why, how, and to whom, per Article 30. This protects you if the ICO comes knocking.
Action: Maintain a log (e.g., “Date: 2025-02-22; Data: Employee contracts; Recipient: Buyer Ltd; Basis: TUPE”) in your records of processing activities.
Final Thoughts
Navigating employee data transfers in M&A under GDPR is a balancing act—meeting business needs while safeguarding privacy. The ICO’s checklists are your roadmap, ensuring lawful, fair, and transparent handling. Whether you’re a buyer, seller, or HR lead, embedding these steps into your M&A strategy can turn compliance into a competitive edge.
Daily insights and materials on the newsletter's X.com account. Get subscribed !
Data privacy & security expert, CIPP/E, CIPM
1 周Odia Kagan as promised