Introduction
Data is increasingly being treated as a core business asset in M&A transactions. In this context, management of data is about deriving and preserving its value, and limiting reputational, regulatory and contractual risk.
In a business sale or reorganisation, data separation is a critical aspect of data diligence and activities to effectively separate and transition the target business. From the outset of a business sale or reorganisation, sellers should consider the data they hold relating to the in-scope business, how much of the data is commingled and how data is stored and accessed as a framework to the data separation and transition approach for the transaction. This is important to understand how access to data will be managed, what steps can be taken to separate data and what further access may be needed after completion to provide ongoing access rights to data.
The management of data has potentially much more far-reaching implications than compliance with privacy laws.
Here, we lay out a three-step framework and key questions to consider at the outset of any potential data-separation exercise.
Benefits of early diligence and data separation
Identifying which data requires separation can reduce transaction risk in that the buyer can confirm exactly what data they are buying as part of the business and identify any issues in its IT infrastructure that might impact the transaction.
Some of the benefits of early diligence and data separation for the seller and for the buyer include:
- identification of datasets which can be easily transferred and datasets which are excluded from scope;
- reduction in the scope of negotiations between the seller and the buyer, due to the increased ability for the buyer to assess completeness of the datasets and value the datasets appropriately prior to completion of the transaction;
- reduction in the time between sale and completion;
- reduction in the length of time and scope for which transitional services are required by allowing resources in the business to be dedicated to other separation or transitional activities;
- reduction in the risk of exposure to data breaches due to less data being stored on the seller’s system and accessed through long-term data sharing arrangements post completion of the transaction; and
- providing a head start on obtaining regulatory approvals for the transaction.
Steps to take towards data separation
There are a number of practical steps that businesses can take early in a transaction to determine the way forward for separating data in a business sale or reorganisation. These include:
Step 1: Identify what is the data and where is it stored?
The business selling or reorganising a part of its business, should as part of its scoping, work out where the data is stored or hosted (including the systems on which it is stored or hosted) and whether the data is logically separated (or separable) from other datasets which are not part of the transaction.
Ultimately, when completion of the transaction occurs and the seller must provide the relevant data to the buyer and/or target company, the seller needs to know where and how the data is stored or hosted so that it can consider the most appropriate data sharing arrangements that need to be put in place and what data can be provided as at completion of the transaction.
Step 2: Assess the risks to the data
The seller should assess the likely consequences and risks if the datasets in scope for the data separation are improperly disclosed or accessed or if the data is lost due to a systems failure before completion of the transaction. As part of the risk assessment process, businesses should consider the repercussions of improper access, loss or disclosure of the datasets, such as regulatory fines, reputational damage and reduced value of the target entity.
- What data needs to be separated?
- Which of the separation and transfer approaches are practical and achievable?
- How will the data actually be shared between the seller and the target entity?
- Will a long term data sharing arrangement be required after completion of the transaction if physical separation or migration is not undertaken prior to completion?
- Who can the target entity share the information with?
- Where can the target entity allow the information to be accessed from?
- Which datasets are subject to third party imposed constraints?
Step 3: Determine the feasibility of separation through early diligence
It is important for businesses to determine the extent of data separation and what is achievable in the timeframes, cost framework and particular demands of the transaction. Separation exists on a continuum and businesses will need to determine what level of data separation is appropriate and achievable. The levels of data separation can include:
- purely contractual limitations, where the data sets remain commingled, but there are contractual restrictions on the data that may be accessed by each party and the conditions that apply to access (e.g. rights to redact, management of privileged information);
- technological restrictions, where access to data sets (or parts of the data sets) is limited through access controls;
- logical separation, where the dataset is subdivided into different cloud instances or different copies wherein user access controls ensure the parties can only access their own copy; and
- full physical separation, where the data set is subdivided and stored on different servers so that neither party can access the others’ data.
For some businesses, full physical separation may not be possible by the time of completion of the transaction and data access will need to be carefully managed to navigate privacy and confidentiality issues. Conducting early data diligence will help identify key risks associated with data management and the appropriate migration steps.
What next?
In an environment where there are myriad amounts of data stored across intertwining systems and businesses, it is not possible to be completely risk free with data separation. However, businesses will be able to better manage these risks by conducting due diligence on data separation from the outset of the transaction.
Our experts, industry leaders, regulators and government explored key digital and cyber trends, regulatory insights and more at the KWM Digital Future Summit in November 2022. Read our takeaways or watch it on-demand here.