When seeking investment for your business there are many considerations for a business owner, but from May 2018 you can add GDPR to that list.
Whilst all business owners will have without doubt heard the horror stories of GDPR and its potential for unprecedented fines, what is not really being discussed, is the longer-term impact of GDPR on business owners and their plans to raise finance.
As part of any investment documentation, you can expect a series of warranties (promises) that you must make to the investors about the state of your business. These warranties are designed to enable the investor to be able to bring a claim more easily, in key risk areas, and avoid taking on liability for retrospective mistakes.
These warranties are usually made by the founders personally so should be taken very seriously. From May 2018 we expect to see warranties and indemnities being sought on a company’s GDPR compliance by investors.
We also expect to see specific and enhanced due diligence being conducted by investors in respect of GDPR compliance. This is likely to involve an extensive review of all third parties who process any of your data, an audit of all your policies and documented consents, a forensic examination of your internal systems/security and a review of any breaches (however minor) and how you have dealt with them. So even if you have ill-advisedly ignored GDPR, any potential investor will not.
Why is this?
In short because there is a much greater level of risk to the investors regarding the fines they could become liable for.
GDPR enables data subjects to bring a civil claim against a company and regulatory action can be taken against the company if you breach GDPR. Another potential avenue of litigation has been created by GDPR, of which almost all companies are vulnerable. A claim or even regulatory action may not surface for some time after an investment. This is not an ideal scenario for those looking to invest in a company.
With a very real and shifting legal landscape in respect of data protection generally and a heightened awareness in data subjects of their rights, expect to see an increase in action being taken against companies in respect of their handling of data. This is not a legacy an investor is going to happily want to accept.
GDPR is an especially serious concern for any large company looking to purchase a company, since any potential fine would be calculated on their worldwide group turnover. You can see why they may be nervous.
What can I do about this?
Whilst you may not be able to prevent a request for GDPR indemnities and warranties what you can do, is put in place effective GDPR processes and procedures now to identify, address and minimise any deficiencies before a potential investor is on the horizon. The more transparent, process driven and forward thinking you appear the less concerned the investor will be.
You may want to consider whether it would be beneficial to hire a specialist Data Protection Officer to deal with overseeing your compliance as companies are offering outsourced services for affordable rates.
You should ensure that as a minimum you map out your GDPR data – so you know what data you are collecting, that you have a lawful purpose for holding that data, that you can comply with any requests for this data to be deleted, you can comply with the rights of data portability and that you and any third party can deal with and report any breaches within the timeframes.
This should all be contained in internal processes, online privacy statements, staff policies and contracts, confirmed in third party contracts, evidenced and mapped out clearly. This is your first line of defence from an ICO inspection or reported breach and is a selling feature for your investors.