Private Equity, Data Privacy and Cyber security

07 December 2021

Private equity firms and portfolio companies need to make sure they take cyber security and compliance with current data privacy regulations seriously. Failing to do so can expose portfolio companies to serious risks including penalties and reputational damage. The COVID-19 pandemic has created unique challenges and new risks in data privacy and cybersecurity, but it cannot be used as an excuse for failure to ensure compliance with regulations or to adopt best practice.

Privacy considerations for Private Equity firms and portfolio companies

If you are a portfolio company, you are almost certainly processing significant amounts of personal data as part of your day-to-day operations. You, therefore, need to consider your exposure to and mitigation of data privacy and cyber risks when you engage with investors or undertake marketing activities.

In the last 18 months, you will also have had to ensure compliance with GDPR requirements whilst adapting to remote working at short notice. The move to flexible working arrangements should be a trigger for updating privacy risk assessments and many organisations remain exposed to significant risk due to them not being able to implement robust and repeatable processes in this area. It is even more challenging when the expectations of good governance are evolving as a result of a variety of live court cases.

Private Equity firms and investors must also give serious consideration to privacy at the acquisition stage of a private equity transaction to ensure the right level of due diligence is performed at the buying stage to mitigate any risk of unexpected liabilities post acquisition.

Finally, Private equity firms must also ensure that portfolio companies are continuing to manage data privacy compliance and associated levels of privacy risk to an acceptable standard. Private equity firms should continue to monitor this throughout the investment lifecycle if they want to protect their investment.

Privacy, M&A and due diligence

Privacy is and continues to be a significant risk in Merger & Acquisition (M&A) transactions, particularly on the buy side. When investing or acquiring a business, unless you are undertaking the right levels of due diligence, you could be taking on potential data privacy liabilities.

In October 2020, the Information Commissioner’s Office (ICO) fined the Marriott Hotel Group £18.4 million for failing to keep customer data safe. The penalty was in relation to a Starwood Hotels and Resorts data breach that occurred pre-acquisition by the Marriott Hotel Group.

The cyber-attack on Starwood Hotels and Resorts Worldwide Inc. went undetected until September 2018 by when it had been acquired by the Marriott Hotel Group. Proper buy-side due diligence on data privacy should have identified the risk. It would have helped Marriot Hotel Group deal with the potential liabilities before completing the transaction.

This example highlights the importance of considering the target business’s exposure to personal data as well as its compliance with privacy requirements in all the countries in which it operates before completing an M&A deal. In our experience, there is a growing need to be able to respond satisfactorily to satisfy cyber and privacy questions as part of vendor due diligence. 

Data privacy – horizon scanning for Private Equity

New SCCs

The European Commission has published new standard contractual clauses (SCCs) for the transfer of personal data from the EU to ‘third countries’. They address changes as a result of the implementation of the GDPR and the recent Schrems judgement.

The new SCCs came into force in June 2021, and full compliance will be required for new transfer agreements from late September 2021. All organisations, including private equity firms and portfolio companies, need to be aware that SCCs currently in use must be replaced with the new SCCs by late December 2022. The news SCCs require organisations to have full oversight of international data transfers.

Data Privacy Post-Brexit

There is currently speculation and uncertainty around the proposed legislation that will govern data protection in the UK in the coming years. The UK government has issued a consultation on proposed reforms to the UK data protection regime. The ICO have also confirmed that the new EU-based SCCs referenced above are currently not to be used by UK based organisations. The UK plans to issue its own SCCs, which are currently out for comment, and for this moment in time UK companies are advised to continue using the old EU SCC’s that have been slightly amended to provide a UK context.

Whether the UK’s data protection regime changes drastically remains to be seen. However, if you are either a private equity firm or a portfolio company you will need to take notice of and respond to any changes to ensure you continue to comply.

How we can help

We have extensive data privacy and cyber security expertise. In particular, we have experience in completing post-implementation reviews and audits for clients across a range of sectors and industries. In addition to providing readiness and maturity assessments, we can work with clients through the implementation stage of a data privacy or cyber project supporting where required to ensure that any gaps are remediated.

We are also able to provide services to our clients that ensure on-going compliance is maintained. Our outsourced data privacy compliance and cyber security services provide an in-house function for our clients that provides support in meeting on-going data privacy compliance and cyber security regulatory requirements. We are also able to work with private equity firms to provide the due diligence support around privacy and cyber security for any potential acquisitions.

 You can be confident of tackling all your data privacy and cyber issues with our expert advice and technical know-how.

Talk to us now


Data privacy three years on – what has changed?

The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has started to flex its muscles with fines ranging from £150k issued to Saga Services Limited, for sending unsolicited direct marketing messages to a reduced £20m which was issued to British Airways for failing to detect a data breach or take steps to mitigate the risk.

There have been a few other noteworthy developments, specifically in relation to international transfers of personal data:

  • In July 2020, the European Court of Justice invalidated the EU-US Privacy Shield (Schrems II), which was previously considered an appropriate safeguard for international transfers of personal data from the EU to the United States of America.
  • As a result of the Schrems judgement, the European Commission reviewed the existing standard contractual clauses (SCCs), which were redrafted. New versions were published in June 2021.
  • In June 2021, the UK was granted adequacy status by the European Commission. This means that data transfers from the EU to the UK can continue freely as before.

Data Protection Act 2018 (UK GDPR)

The General Data Protection Regulation (GDPR) became enshrined in UK law as the Data Protection Act 2018 on 25 May 2018, modernising the way in which organisations process and handle personal data.

GDPR introduced several new concepts, such as Privacy by Design, and the requirement to complete a data protection impact assessment. It also gave greater prominence to the role of the Data Protection Officer (DPO).

Other changes included:

  • Enhanced rights for data subjects in accessing, updating and obtaining a copy of their personal data, as well as some additional rights such as right to erasure and right to data portability.
  • The requirement for controllers to report breaches to supervisory authorities swiftly, and within 72 hours.
  • Use of personal data must be legal – a lawful basis should be cited for each data processing activity.
  • Data controllers are responsible for any personal data transferred to third parties and must contractually require third parties to adhere to data protection obligations.
  • The introduction of significant sanctions for non-compliance, up to €20m or 4% of global turnover – whichever is greater.