With the recent tabling of the Privacy and Other Legislation Amendment Bill 2024 (the Bill), privacy and data security matters continue to be front of mind for company executives.

The Bill introduces a raft of new OAIC investigation and monitoring powers and broader penalties (including penalties of up to $3.3 million for doing an act or engaging in a practice that is an interference with the privacy of an individual).

From an M&A perspective, it’s likely that the proposed changes to the Privacy Act 1988 (Cth) will drive prospective purchasers to further scrutinise the privacy and data handling practices of potential targets.

Prospective sellers and their advisors should be prepared for more in-depth questioning during the due diligence phase and purchasers taking a ‘belts and braces’ approach when it comes to data privacy warranties and indemnities used in sale agreements.

To help sellers prepare and ensure their organisation’s information handling practices are up to scratch, we have summarised in this article some simple steps sellers can take before the sale process kicks off.

1.           Know your information

When it comes to getting a handle on your organisation’s information handling practices and understanding your privacy compliance obligations, the first step for most businesses is to have a good understanding of the information that flows in and out of the business.

It is crucial that you know what information your organisation collects, why it is collected, how it is collected and where it is stored. Without this level of understanding, it is very difficult to effectively manage and protect the personal information that your business handles.

The first port of call should be your organisation’s privacy policy as this document should set out how your business manages the personal information it collects.

Before preparing your business for sale, take the time to review your privacy policy and ensure it aligns with how your business actually handles the personal information it collects. This is also the opportune time to conduct a legal review of your privacy policy to ensure it is up to date with current laws and regulations.

If you have a lot of information that flows in and out of your business or if your business handles sensitive information such as health information or children’s information, you may find it helpful to conduct a data audit or mapping exercise to help you identify the various data touchpoints in your business.

There are software tools available that can help with the data mapping process, but this can also be done manually. It can be a complex and time-consuming process so itis often best to engage a professional to help you.

2.           Identify compliance gaps

Once you have a better idea of the information that you hold and how you handle it, it’s time to identify whether there are any compliance gaps in your businesses processes and procedures.

Ideally, these issues would be identified and remediated before any potential buyers start digging around during the due diligence phase.

Using the outputs of your data audit/mapping exercise, you can conduct an assessment of how you are tracking from a privacy and data security compliance perspective, using the Australian Privacy Principles (APPs) as your benchmark.

Depending on the complexity of your business, and the amount of information you handle, it may be worth having professional assist you with this assessment.

A thorough assessment shouldn’t just identify any compliance gaps but should also provide targeted recommendations and remediation steps to help you plug any gaps before a potential buyer has the chance to raise any issues.

3.           Start addressing compliance gaps now – the sooner you start the better.

Like most things, prevention is better than a cure.

This is true in the context of preparing to go to market with the sale of your business.

Rather than scrambling at the last minute to plug any compliance gaps and being reactive to any issues raised by prospective purchasers, it’s best to be proactive and sort these issues out before there is a chance of them being flagged.

There are some quick wins to be had when it comes to plugging privacy and data security compliance gaps, such as:

• ensuring your staff have completed privacy and data security training;
• making sure any privacy related policies you have in place are accurate and up to date;
• implementing appropriate security safeguards and controls;
• putting in place robust information access controls (e.g. multi-factor authentication);
• establishing incident responses plans;
• ensuring you have appropriate data back-up protocols and procedures in place; and
• keeping a register of any privacy related incidents, breaches or engagement with regulators.

An experienced privacy professional can help identify any low hanging fruit and suggest ways to address these issues quickly and efficiently.

4.           Be cautious when it comes to uploading personal information to virtual data rooms

In the frenzy that is the due diligence stage of a transaction, sellers don’t often stop to think about their privacy obligations when it comes to uploading personal information into virtual data rooms.

The due diligence phase is often completed on a truncated timetable, so it’s usually a case of uploading any information that has been requested by a potential purchaser as soon as possible.

One key risk area is the disclosure of employee data.

Employee data can be quite varied and often includes ‘sensitive’ personal information relating to the employees of the business. The disclosure of this information will generally require the consent of the individual to which the information relates.

While there are exemptions under the Privacy Act when it comes to the handling of ‘employee records’, the test of what constitutes an ‘employee record’ is typically interpreted quite narrowly by regulators.

In circumstances where express consent has not been (or cannot be) obtained from the individual concerned, a cautious approach to uploading employee information into a virtual data room should be taken. Ideally, any employee information should be ‘de-identified’ before it is uploaded so that individual employees cannot reasonably be identified by reference to the information provided in the data room.

In most cases the identity of the specific individual employees is not particularly relevant in the context of a transaction. Information such as any accrued entitlements, key terms of the template employment agreement, and the number of employees in any given location of the business is usually what buyers want to know. For this reason, providing anonymised information relating to employees is usually not a deal-breaker for most buyers.

5.           Transaction documents – a belts and braces approach

Within creased enforcement powers for regulators, and greater penalties for breaches of Australia’s privacy laws on the horizon, it’s a sure bet that purchasers will be focusing heavily on the warranties and indemnities provided by the seller in the sale documentation that relate to privacy and data security matters.

For example, purchasers are likely to seek warranties from the seller that the target:

• has complied with all applicable privacy and data security laws and regulations;
• is not currently involved in, or aware of, any pending or threatened privacy or data security related claims or proceedings; and
• has not been involved in, or is not aware of, any pending or threatened regulatory investigations or action against it in relation to its compliance with applicable privacy and data security laws.

Sellers need to be prepared for tougher negotiations on these points, but where sellers can show buyers that these key risks have been mitigated, the negotiation process should be a much smoother one.

Final thoughts

While preparing your business for sale might seem like a daunting prospect, having the right mix of professionals on your team is crucial for your success.

If you are thinking of selling your business and would like to have a chat with our team about how you can best prepare, please contact us.

‍