Although a business should have an understanding of its obligations under the Data Protection Act 2018 and UK GDPR, the following gives an overview of the specific considerations to be made before sharing personal data as part of a corporate transaction:
In the first instance, you should consider what personal data you process and what is likely to be shared during the transaction. This data may include: (1) employment contracts and information; (2) personal data relating to disputes; and (3) personal data contained within key contracts.
Next, you should enter into a confidentiality agreement. This agreement should provide that any confidential information (including personal data) will be stored securely and that on expiry of the agreement, the receiving party will either destroy or return all confidential information.
You should then consider if your processing is likely to be deemed lawful, fair and transparent.
To ensure lawful processing, there must also be grounds for processing the personal data, such as consent or legitimate interests.
In the context of employer/employee relationships, consent is a difficult ground to rely upon due to the imbalance of power. Therefore, legitimate interests is most likely the best ground to rely upon for commercial transactions. This requires a controller to balance its own reasons for processing data against the data subjects ‘fundamental rights and freedoms’ but consideration must be made in terms of minimising the risk to data subjects.
One way to minimise the risk is to ensure all personal data is shared via a secure virtual data room (VDR) which can only be accessed by authorised users.
Where possible, personal data, such as employee names, should be redacted before being shared.
Ultimately, before sharing personal data, you must ensure that you can answer the following questions: