With the effective date of the General Data Protection Regulation (GDPR) now exactly one year away, the potential impact of this regulatory change is an issue that we expect to be front-of-mind for any potential acquirer of a business that generates or uses significant amounts of marketing data.
Our experiences across a range of transactions, including the recent sale of 118 Information, have highlighted potential pressure points that arise in M&A from impending GDPR implementation and demonstrated strategies to deal with them.
Whilst every business and situation are different, there are three recurring themes that we think anyone contemplating buying or selling a business between now and GDPR implementation should consider:
Process changes should be operational rather than theoretical
Compliance with GDPR will require changes to data collection mechanisms, documentation, and data sources for a range of businesses. If these changes have been developed conceptually (often with specialist legal advice) but not yet implemented at the point of a transaction an intelligent buyer may seek a 'margin of safety' to reflect the uncertainty of their effect.This could impact deal value. The best protection for a seller in an M&A transaction is to demonstrate that all steps needed to achieve compliance have been put in place and do not negatively impact the business.
For some businesses GDPR will be a big opportunity
Whilst the media narrative around GDPR has been dominated by regulatory risk, and the need to achieve and demonstrate compliance, potential upsides may arise from GDPR for certain business models which can be important drivers of value in M&A.
GDPR compliance of data-driven growth strategies should be validated
Monetising data in new ways, particularly for marketing purposes, is a rich vein of growth for businesses in both B2B and B2C markets. If growth strategies of this kind are presented as part of an M&A process they will attract particular scrutiny, and specialist legal advice to validate their achievability post-GDPR is therefore advisable.