Dealing in data: Insider tips for effective document management during the M&A process
The efficient management of sensitive and confidential documents is crucial to the completion of a smooth M&A process.
From a seller’s perspective, decisions need to be made throughout the process about who has access to what information, due to competition and privacy concerns. From a buyer’s perspective, the transaction will only proceed once the executives are comfortable with the nature and consistency of the corporate data they have been able to analyse.
Finding a way to manage the tension between these two competing sets of priorities is one of the keys to getting a deal done. It is universally agreed among M&A practitioners that some sort of data room is required to hold the documents relevant to the M&A process, but the nature and scope of that data room can vary depending on the size and complexity of the deal and the importance of data to the outcome.
Very large deals involving public companies will set aside a significant budget to establish a sophisticated data room with the right levels of security and functionality. This may not be possible for a mid-market deal, where the cost of doing so would not be considered acceptable, unless the data concerned was highly sensitive.
The trick is to find a data room structure to suit the deal in question, balancing cost with parameters such as security and organisational functionality.
Balthasar Wicki, an IR Global member and M&A lawyer with Wicki Partners in Switzerland, always prioritises this question of suitability before a deal commences. His preference is to give buyers access to information within a seller’s existing internal systems if possible, rather than duplicate documents via a third party provider.
He says: “If there is a choice between using an external data room and an existing document management system in a company, I always recommend the latter. Taking documents out of the company and adding them into a separate data room risks a consistency disconnect. I would only use a third party data room if the target company didn’t have an archive document retrieval system capable of defining subsets of data accessible to potential buyers.”
If a third party data room is used, many smaller deals will use file sharing software such as Dropbox as a way to save on cost. This has a number of disadvantages related to both security and process.
Using these publicly available systems is still current practice in many middle market deals, according to Balthasar Wicki, who says, besides poor security, they lack the functionality to trace who has accessed or reviewed documents, when and for how long. They are also unable to manage a competitive bidding process, where the activity of each potential buyer can be made available to other buyers in order to stimulate interest.
He adds: “If monitoring the disclosure of sensitive commercial data is an important aspect of the deal, it will be included within the representations and warranties of an M&A contract. In such a situation, there is a greater need for a sophisticated data room. Using a system like Dropbox would force a buyer or a seller to leave data management out of the contract.”
There is a serious legal, as well as commercial, perspective to data security given the advent of the European Union’s new General Data Protection Regulation (GDPR).
Steven de Schrijver, an M&A lawyer with Astrea in Brussels and also an IR Global member, advises sellers to be selective about what data they put in a data room, particularly personal data belonging to employees.
He says: “Sellers may need to include information about key employees, but not everyone. They should avoid putting in information such as health details, criminal records, trade union memberships or social security numbers. The documents should also be cleaned of any metadata held in the file properties There can be all kinds of private information hidden within the file.”
He adds: “The key is anonymisation. Give any potential buyers the key to unlock personal data separately and do not keep it together with other documents.”
A good way to ensure compliance with GDPR is to restrict buyers from accessing the most sensitive data until they have signed a non-disclosure agreement (NDA) or, if possible, the actual Stock Purchase Agreement (SPA), which effectively closes out the deal.
Mercedes Clavell, a Spanish M&A lawyer with Arco Abogados in Barcelona and a member of IR Global, advises that sellers should put the shareholders, directors or partners of prospective sellers through a due diligence (DD) process prior to sharing sensitive information. Once the DD process is complete, information can be disseminated in a multi-stage process, dependent on how advanced the deal is.
She believes this is most relevant in large business-to-consumer (B2C) companies that hold lots of sensitive personal data on individual customers as well as staff members.
She says: “Distinguishing the type of business involved in the transaction is important. With a business-to-business (B2B) model, data privacy is not so relevant because the database only holds the names of the employees and the directors. In big consumer firms like Amazon, or in the medical industry, personal data security is more important.
“B2C sellers need to insist on warranties and indemnities to cover possible data breaches by potential buyers or their advisors.”
We can conclude that there are clear commercial and legal reasons why document management must be taken seriously during an M&A process by both companies and their advisors. Failure to do so may lead, not only to the collapse of a promising deal, but also, in Europe, huge fines of up to 4 per cent of annual turnover for breach of strict GDPR rules.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » The top 10 most popular cybersecurity certifications in 2019: A guide
- » Mobile identity is the new security perimeter: How enterprises need to secure their mobile worlds
- » Tackling cybercrime one step at a time: How businesses can stay connected and protected
- » Alerts are ignored and turnover is high as security teams suffer from incident overload, report says
- » Why manufacturing supply chains need Zero Trust security