7 essential steps for M&A due diligence in conformity with the GDPR

The GDPR requires you to be aware of the risks and to take adequate safety measures when sharing personal data. As a European data room provider, Virtual Vaults will gladly support you in this process.

7 essential steps for M&A due diligence in conformity with the GDPR
25 May 2018 marked the dawn of the era of the General Data Protection Regulation (GDPR). It is an era in which the European Union monitors the proper gathering, sharing, processing, and removal of data more stringently.  Different parties share significant amounts of data in a M&A due diligence procedure. It is almost never clear in advance what data will be involved.  ‌‌Handle data cautiously to avoid large penalties. Follow the 7 steps to carry out your M&A due diligence in a GDPR-proof fashion.

GDPR: more stringent monitoring, larger penalties‌‌‌‌

The GDPR is a tightening of privacy law in Europe. In the Netherlands, the GDPR has replaced the Personal Data Protection Act. One of the measures tightening the privacy law is an increase in the fines the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has the authority to impose in the event of a violation. The maximum penalty for non-compliance with the GDPR rules increases from 820,000 euros to 20 million euros or 4% of worldwide turnover.

GDPR in M&A due diligence procedures‌‌‌‌

The GDPR requires you to be aware of the risks and to take adequate safety measures when sharing personal data. You must start doing this as early as possible in your M&A due diligence procedure and conclude it carefully once done.

As a European data room provider, Virtual Vaults will gladly support you in this process. After all, a Virtual Data Room constitutes an important link in personal and other data sharing in an M&A due diligence procedure.

Learn how to launch your M&A procedure step-by-step in a GDPR compliant manner.

The 7 steps for a GDPR-proof M&A procedure‌‌‌‌

Step 1:  Select a GDPR compliant virtual data room provider

Step 2:  Analyse your data

Step 3:  Perform a data protection impact assessment (DPIA)

Step 4:  Before the deal, gather everything centrally and securely

Step 5:  Configure roles and permissions for controlled data sharing

Step 6:  Watch out for data leaks

Step 7:  Ensure a seamless closing

Step 1: Select a GDPR compliant virtual data room provider‌‌‌‌

How can you select a virtual data room provider that works in accordance with the GDPR rules? Pay attention to the following criteria.

Processor Agreement
‌‌Your provider must include by default a Processor Agreement (formerly referred to as: data processing agreement) in its general terms and conditions. You must make agreements in writing regarding personal data processing with all your suppliers that process personal data for your purposes.

Virtual Vaults uses the standard processor agreement of the Nederland ICT trade association. Virtual Vaults is also one of the first companies in the Netherlands to obtain the Data Pro certificate. This certification is based on the Data Pro Code developed by Nederland ICT. This code of conduct constitutes a practical translation of the GDPR for processors on the basis of concrete rules of conduct. In order to obtain and maintain this certification, Virtual Vaults subjects itself to external supervision.

The Data Pro certificate is officially accredited by the Dutch Data Protection Authority.

Data storage in the European Union‌‌
Where does your data room provider store the data? Unfortunately, many countries outside the European Union do not offer the stringent protection enjoyed in the European Union. Therefore, all data in Virtual Vaults’ data rooms are stored on servers in Europe.

Privacy by design & privacy by default
‌‌Software and services used by your organisation must by default take into account important privacy measures. The encryption of all data, two-factor authentication, and checks on the separation and deletion of information are minimal requirements that have perfectly been provided for at Virtual Vaults. By selecting Virtual Vaults, you are selecting a data room provider with privacy-by-design and privacy-by-default in its DNA already since its establishment.

The regulator pleads for structure, insight, and process-based operation in processing personal data. A data room provider demonstrates its compliance with this plea by following the processes of the ISO 27001:2013 certification. Virtual Vaults is certified for this standard. It is recommended to only work with suppliers that can present this certification or similar certifications.

Do you want to find out more about security? Review the measures of Virtual Vaults.‌‌

Step 2: Analyse your data

‌‌Verify whether personal data are being placed in your data room. For example, extracts of the Chamber of Commerce, copies of identification documents or email addresses.

Apply the following principles: ‌‌

  • Avoid risks: do not place personal data in the data room that are not relevant to the deal.
  • Render personal data as anonymous as possible before placing it in the data room.

Did you arrive at the conclusion that no personal data are being placed in the data room? Even then, it is still recommended to opt for a provider such as Virtual Vaults, the safest, most secure and most privacy-by-default virtual data room. Then you are assured that your deal-sensitive information is properly safeguarded. Should personal data after all reach the data room at a later stage, you are working with a GDPR compliant provider.

Step 3: Perform a data protection impact assessment (DPIA)‌‌

As the party responsible for data protection, you must perform a data protection impact assessment (DPIA) (Dutch) when your data processing is likely to be subject to a high privacy risk. You must determine this yourself. The working group of European privacy regulators (WP 29) has drawn up nine criteria (Dutch). The rule of thumb stipulates that a DPIA is required when the processing meets two or more of these criteria.

In order to get you started, Virtual Vaults has performed a DPIA of its own organisation. When you team up with Virtual Vaults, you can use our measures and clarified risks in preparing your own DPIA for your organisation or project. Suppliers constitute an important component in that regard.

Step 4: Before the deal, gather everything centrally and securely

A lot of information is exchanged before a deal. We often notice that a data room has not yet been set up at that point. That is risky. After all, the consequences of a data leak are just as severe at that stage as during the deal. We find a suitable solution for a safe data exchange at each stage of your M&A due diligence project.

Step 5: Configure roles and permissions for controlled data sharing

‌‌Only grant people rights to those documents to which they must have rights.

Another important component is that you keep a record of who has had access to the personal data processed by your organisation. A comprehensive audit trail (log) of the Virtual Vaults platform keeps a precise record of this, down to the document level.

Step 6: Watch out for data leaks

‌‌The statutory data leaks notification requirement (Dutch) remains largely identical. However, the GDPR imposes more stringent requirements on this. Virtual Vaults supports you in meeting these requirements.

Virtual Vaults proactively monitors all activities on the platform. Smart algorithms and dashboards provide our security department with the information to timely detect potential fraudulent actions on the platform.

Incident Management Procedure‌‌
We are continuously focused on preventing incidents. Our Incident Management Procedure will take effect if a data leak unexpectedly presents itself. This procedure is geared seamlessly to the directives of the GDPR. You will be notified within 36 hours following the discovery of an incident. This provides you with ample time to determine yourself whether there is an actual data leak that you must report.

Our Incident Management Procedure is available for inspection on request.


Step 7: Ensure a seamless closing

‌‌Seal the deal. Both literally and figuratively. We can supply a snapshot of the data room on a secure USB drive on your request. This drive is secured by strong AES 256-bit encryption, together with a unique HASH code and tailor-made comfort letter. The combination of these three safeguards ensures that you can prove what was present in the data room and which actions were performed on the documents at that moment.

Would you like to know more about our solution for M&A? ‌‌Take a look at the Virtual Vaults data room for M&A Due Diligence. ‌‌ ‌‌

Would you like to talk about GDPR and data rooms?

Find us here:

Website | Email | Telephone