All of the business data you’ve accumulated over the years is likely to contain information that is considered “personal data” under various data protection legislation.
So when preparing to sell your business, one of the most important things to check off your to-do list is a data transfer. But how do you go about this in a way that doesn’t violate people’s privacy (and the law)?
To help you navigate this crucial step, we’ve put together a three-step guide to ensure that any data transfer is conducted in a lawful way.
For example, if you or your customers are based in the European Economic Area (EEA), you will most likely be within the jurisdiction of the General Data Protection Regulation (GDPR). According to the GDPR, personal data is defined as “any information which are related to an identified or identifiable natural person.” This could include anything from email addresses to employee timesheets.
Depending on what your existing policy says about data transfers to third parties, you may also need to check the conditions under which you can sell or transfer personal data. Under the GDPR, you can only use data for the purposes for which it was collected in the first place. This principle is known as purpose limitation. For instance, if a customer initially consented to their email address only being used for customer service communications, you will need to notify them and get their permission to sell or share it.
To be as transparent as possible with your customers, be sure to inform them of the fact that the business is being sold, who you’re selling it to, and how this may affect the data that they’ve shared with you.
This provides an opportunity for customers to opt-out of their data being shared or sold, or request for their data to be deleted.
Depending on the terms of your sale, it may be advisable to document an agreement on how customers data may be collected, used, stored, and secured. Be upfront with the buyer about their privacy obligations and the costs of non-compliance. For some businesses, employing a Data Protection Officer (DPO) is a necessary expense to comply with the GDPR.