Operationalizing Data Protection & Privacy: Lesson 8 - Contracting for Privacy & Privacy in M&A

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

This week I look at the role of privacy in contracts and mergers and acquisitions.

For many of us operational privacy pros the transactional side of DP&P is admittedly not the most fun and exciting part of our profession.? Depending on the topic of the contract and the issues at stake, translating the business terms into an agreeable contract (including DP&P terms) can be a tiresome and tedious task.?

Contracts can become mundane and repetitive, but when entering into an agreement with another party where personal data is an issue we are obligated to ensure we find a meeting of the minds.? This can include the execution of data processing agreements, privacy terms within?master agreements, security addendums, and NDAs.?

And when two companies combine businesses (whether through a merger or acquisition), DP&P can be one of the more contentious parts of the negotiation.? There is no business that doesn’t have some amount of personal data, and the new entity will want to ensure that it can continue to process all of it consistent with its business goals.??

Thankfully, there are hundreds if not thousands of excellent privacy attorneys working on these issues daily to ensure that the exchange of personal data between all of our businesses is done in a secure and compliant manner.??

So, let’s look at some considerations with regards to contracts and M&A.

1. Whether you’re an in-house privacy professional or supporting a client as outside counsel, the first thing you should do when beginning a business relationship that will include contract work is to understand your client’s general business and goals when entering into a transaction with another party.? This includes getting a reasonable overview of the business activities, but equally important is to develop a keen understanding of the company’s risk appetite with regards to contracting.??
2. Contracts will often shift risk between one party to another, and while no contact will ever provide both parties with everything it wants, our job in representing our client is to get as close as possible.? But that can come at a steep price, and we must identify what our party is willing to fight for and what it can live without.??
3. This is particularly true with DP&P.? The European Union’s Standard Contractual Clauses have made some routine processing activities much simpler, but when personal data is a core issue to the contract, we need to recognize that there will be some inherent risk in the agreement, and understanding the client’s risk appetite will help us finalize the deal.??
4. We also need to appreciate that while the company may have a general approach to contacts, very few contracts are identical, and each one will require its own evaluation of the subject matter, financial terms, risk appetite, and most important to us, the personal data at issue.??
5. When subsequently presented by the business or client with a contract, the initial step is to then understand its specific subject matter and the company’s role in it.? This calibration is vitally important and will inform you on how to approach the negotiation.??
6. This includes identifying the company’s role as it relates to the processing of personal data.? While not all contracts will neatly allow the parties to fit into GDPR’s roles definitions, a good place to start is to identify if you’re the data controller or data processor (or maybe even a co-controller or independent controller). ? Another way to look at this is to ask yourself if you will be sharing personal data or receiving it.? Following the flow of personal data between the parties will help determine how to proceed with the contract.?
7. Some contractual arrangements will follow an easy formula.? Take for example the procurement of an enterprise SaaS solution like a new HRMS.? As the company licensing the HRMS, you’re the data controller and the HRMS service provider is a data processor, and employee personal data will be shared with the HRMS service provider only to provide the platform for the duration of the contract.?
8. Other relationships are not as easy to define, such as when a company engages a third-party marketing service provider that will perform a data collection or lead generation activity on its behalf.? There are several ways this relationship can be structured, particularly when it comes to the collection and sharing of personal data, and both parties will need to ensure it’s done in an appropriate, secure, and compliant manner.?
9. No matter the relationship between the parties, when personal data is part of deal, you will need to identify and document key DP&P information, including the data subjects, the anticipated amount of personal data, the specific data types, the processing purposes, sub-processors, data processing location (including international data transfers), the obligations for each party, how the personal data needs to be secured, and deletion procedures.??
10. Once you understand the facts and elements regarding the processing of personal data relevant to the contract, you need to determine how to memorialize it.? This will most likely be in a data processing agreement, which is made an appendix to the master agreement, but there may be a reason to incorporate DP&P terms in the master agreement or another approach such as including the DP&P terms in a statement of work.
11. If your organization is largely viewed as a data processor, you may want to develop a standard data processing agreement that sets out the DP&P approach for your organization.? Having a standard agreement can help expedite the acquisition of new customers, but you will inevitably still be presented with contracts from opposing parties who mandate that you need to work on their paper.?
12. This of course can lead to a battle of the forms, which is almost never productive.? A better way to look at what form to use is to understand the risk and business relationship and identify how critical it is to work on your form.? There may be benefits in conceding to using the other party’s contract, including speed and the ability to negotiate other key terms, but you should never accept a form that shows insufficient knowledge of the subject matter or unreasonably shifts risk.??
13. Some of this can be solved by relying on the SCCs, but it won’t be applicable in every scenario, and some organizations will insist on its own form, particularly if the EU is completely out of scope.? But you can still use the framework and language in the SCCs to help you find a reasonable approach with the other party.???
14. It seems the biggest issues related to DP&P in contracts always relate to security requirements, audit rights, use of sub-processors, indemnities, and limitations of liability.? Be prepared to identify what you need from each of these areas and ready to stand your ground as needed.
15. During a major transaction resulting in a merger or acquisition, you’ll need to identify how personal data will be a part of the deal.? If the personal data is largely employee or B2B data, you may not need to invest as much time and resources on DP&P compared to a situation where there are millions of consumer records.
16. The due diligence period will be critical in determining the scope and risk personal data impacts the deal, and you should work with the business sponsors to develop a plan that will allow someone with DP&P expertise to evaluate this.? This should include allowing your organization to answer all the important DP&P questions, and potentially an opportunity to go on site to visit the target to perform a full privacy review.? While DP&P is unlikely to derail a major deal, it could impact the terms and financials.??
17. Most privacy policies or terms of service for major digital products and services provide for the transfer of personal data in the event of a merger or acquisition.? But if the selling organization has not managed its DP&P program well, this may create a risk for the acquirer (or newly merged organization), and that should be accounted for in the final deal terms (and maybe even the price paid).?????????
18. Once the two companies are merged it’s important to be proactive and transparent with all of the impacted data subjects as to how their personal data will be processed by the new entity.? You should also provide a mechanism for allowing data subjects to contact someone with questions or concerns.
19. Lastly, if contracts are a big part of your organization’s day to day activities, you may want to look for ways to operationalize DP&P contract support.? This could be by developing a standard intake and review process utilizing an intranet portal/form or hooking into another key internal process such as procurement.? You can scope each individual contract for risk, allowing low risk contracts to proceed with little legal involvement (or maybe supported by a self service playbook) and then have a path to escalate high risk engagements to the appropriate legal team member.??

That’s it for this week.??

Next week we shift gears a bit and start a series of several weeks where we talk about specific data subjects and industries.? First up is children’s privacy.???

And thanks for continuing to follow this course.? I appreciate the support!