Now that the Protection of Personal Information Act, 2013 (POPIA) is in force, companies should heed the above lessons in order to avoid liability for non-compliance with POPIA, in addition to serious commercial consequences, including costs for remediation of the data breach, and reputational harm.  

​

Data privacy and cybersecurity as a separate and distinct subject matter of due diligence
From the purchaser's perspective, it is critical that the seller's data privacy compliance and cybersecurity be thoroughly assessed as early as possible in the M&A process. These considerations should be applied as a separate and distinct subject matter of due diligence, including the need to ask the right questions when buying a business. Questions that would typically be included relate to items such as:

 

• the status of the seller's compliance with POPIA;

• policies, practices and controls in place to safeguard personal information processed by or on behalf of the seller, and whether these meet the standards imposed by POPIA;

• the adequacy of staff training and awareness regarding data privacy and cybersecurity, given by or managed by the seller;

• the measures that the seller has in place to prevent, detect, respond to, manage and remediate a data breach;

• history of data breaches suffered by the seller.

​​

Data privacy considerations during the due diligence phase 
A large volume of this information will include personal information falling within the scope of POPIA. This will mean that the seller must ensure that (i) it has a lawful basis to disclose personal information to the seller, and (ii) that only personal information necessary for the purposes of due diligence and the acquisition is disclosed. 

​

Parties typically conclude a non-disclosure agreement (NDA) to regulate the confidentiality of information disclosed during the due diligence process. These standard NDAs typically do not include robust clauses dealing with personal information and the parties' compliance with their respective obligations under POPIA and any other applicable privacy laws. Parties are strongly advised to conclude a ‘personal information sharing agreement’ on top of the standard NDA. 

​

The sharing of information needs to be POPIA-compliant. If a party intends to rely on legitimate interest as a ground to disclose personal information, an opinion or privacy impact assessment should be drafted and kept on file to this effect. However, even in such event, the condition of ‘data minimisation’ should still be met. The seller should be guided by questions like whether the purchaser needs to know the identity of the seller’s employees, clients or customers, and whether any personal information can be anonymised or de-identified in a way that renders it impossible to identify the particular data subject. This must be balanced against the purchaser's requirements for reviewing the information requested. Sellers should not attempt to hide behind ‘data minimisation’ to avoid disclosing key information to the purchaser. 

​

Third parties are often engaged to provide the virtual data room (VDR) through which information is shared and accessed. Regardless of which party is responsible for the VDR, steps must be taken to ensure compliance, including ensuring that security safeguards are in place.

​

Once the purchaser acquires the seller, it will need to consider what it can lawfully do with the personal information and whether it has any obligations in respect of such information. Where relevant, additional conditions precedent may need to be included in the purchase and sale agreement. 

​

Concluding remarks
In the age where data is an asset and there can be serious consequences for non-compliance with privacy laws, companies engaging in M&A activities can no longer afford to ignore the relevance of data privacy and cybersecurity in M&A transactions. 

​

Naidoo is an Associate in Corporate Commercial and Boda an Executive in TMT | ENSafrica.