It is a vital part of the M&A process that confidential documents remain that way, and that sensitive documents are treated carefully. Mishaps, regardless of severity, can lead to delays, deal derailments, or potentially even lawsuits.
Sellers and their advisors need to decide who has (and needs) access to which information. Competition and privacy concerns will contribute to these decisions, and each person involved in the process will need to be vetted in terms of what they need to know.
For buyers, the transaction can only move ahead once executives and their team of lawyers, accountants and subject matter experts are satisfied with the corporate data they have been able to analyse, both in terms of nature and consistency.
Data room for improvement
Managing the potential tension between the differing priorities outlined above is another vital part of getting a deal to the completion stage. All M&A professionals at a recent IR Global roundtable discussion agreed that a data room is necessary to hold the confidential documents that need to be shared in the M&A process. But what should this data room look like?
The answer to this question depends on the size and the complexity of the deal.
A significant budget is usually set aside for large deals involving public companies. This allows a sophisticated data room to be established, with suitably high levels of security and functionality.
For a mid-market deal, however, the cost of doing this would probably not be considered acceptable, unless the data was particularly sensitive.
The trade-off, then, is cost versus security and organisational functionality.
IR Global member Balthasar Wicki, who practices as an M&A lawyer with Wicki Partners in Switzerland, considers this question of suitability his priority before the commencement of a deal.
Of the role of a third-party data room, he says that they would be recommended “if the target company didn’t have an archive document retrieval system capable of defining subsets of data accessible to potential buyers.”
Using third-party systems is a current practice in many middle-market deals, according to Balthasar. He recommends looking for the following features:
- the functionality to trace who has accessed or reviewed documents, when and for how long
- the ability to manage a competitive bidding process, where the activity of each potential buyer can be made available to other buyers in order to stimulate interest
- full GDRP compliance
He adds: “If monitoring the disclosure of sensitive commercial data is an important aspect of the deal, it will be included within the representations and warranties of an M&A contract. In such a situation, there is a greater need for a sophisticated data room.”
GDPR: the elephant in the data room
Since the advent of the European Union’s new General Data Protection Regulation (GDPR) in May 2018, there are more stringent restrictions on the transfer and storage of data than existed previously.
Steven de Schrijver, another IR Global member and practicing M&A lawyer with Astrea in Brussels, is careful to advise sellers in deals he is involved with to be selective about the data they put in a data room, particularly personal data pertaining to employees.
He warns against data drops that don’t discern what is relevant and what is not: “Sellers may need to include information about key employees, but not everyone.” Being careful to pick and upload only the relevant data reduces the likelihood of getting into hot water later in the process.
But which data? Steven recommends sellers “avoid putting in information such as health details, criminal records, trade union memberships or social security numbers.” He also speaks of best practice, and the importance of removing metadata included in the properties of the files through which the data is uploaded: this is a prime location for data to be uploaded inadvertently.
Finally, he adds: “the key is anonymisation. Give any potential buyers the key to unlock personal data separately and do not keep it together with other documents.”
Ensuring GDPR compliance
A non-disclosure agreement (NDA) is a time-tested way of protecting the most sensitive data involved in an M&A transaction, and gains new importance in the context of GDPR. In fact, withholding access until the Stock Purchase Agreement (SPA) itself has been signed may be necessary with the most sensitive data.
Mercedes Clavell, IR Global member and Spanish M&A lawyer with Arco Abogados in Barcelona, impresses on her clients the importance of a rigorous due diligence (DD) process, stating that shareholders, directors or partners of prospective sellers should be vetted before gaining access to shared sensitive information. After the DD process has taken place, information can be released in differing stages, keeping in mind who needs access at each stage.
In conclusion, there are clear reasons, both commercial and legal, why document management must be taken seriously during an M&A transaction by every party involved in the process. Not being diligent or working outside established and trusted channels risks collapsing the deal, which is obviously best avoided. It may also trigger huge fines for breaching GDPR (up to 4 per cent of annual turnover).
Tom Wheeler is Managing Director of IR Global, a multi-disciplinary professional services network that provides advice to companies and individuals across 155+ jurisdictions. The group’s founding philosophy was based on bringing the best of the advisory community into a sharing economy; a system which is ethical, sustainable and provides significant added value to the client. For more information, contact thomas@irglobal.com