Skip to Content Skip to Navigation

All of the business data you’ve accumulated over the years is likely to contain information that is considered “personal data” under various data protection legislation.

So when preparing to sell your business, one of the most important things to check off your to-do list is a data transfer. But how do you go about this in a way that doesn’t violate people’s privacy (and the law)?

To help you navigate this crucial step, we’ve put together a three-step guide to ensure that any data transfer is conducted in a lawful way.

First, check which data protection and privacy laws apply to you.

Consider where your business and customers are based. This will determine which data privacy laws apply to you and, based on those, pinpoint which types of data are subject to regulation. Hopefully, you’ve already covered this in your privacy policy, but it’s generally wise to take the opportunity to review current laws when you draw up your agreement of sale.

For example, if you or your customers are based in the European Economic Area (EEA), you will most likely be within the jurisdiction of the General Data Protection Regulation (GDPR). According to the GDPR, personal data is defined as “any information which are related to an identified or identifiable natural person.” This could include anything from email addresses to employee timesheets.

Depending on what your existing policy says about data transfers to third parties, you may also need to check the conditions under which you can sell or transfer personal data. Under the GDPR, you can only use data for the purposes for which it was collected in the first place. This principle is known as purpose limitation. For instance, if a customer initially consented to their email address only being used for customer service communications, you will need to notify them and get their permission to sell or share it.

Other laws, such as the California Consumer Privacy Act (CCPA), have slightly different rules — and there is a much broader definition of what is considered to be the “sale” of someone’s data.

Next, notify your customers of the sale and of any changes to the business’ privacy policy.

To be as transparent as possible with your customers, be sure to inform them of the fact that the business is being sold, who you’re selling it to, and how this may affect the data that they’ve shared with you.

This provides an opportunity for customers to opt-out of their data being shared or sold, or request for their data to be deleted.

And of course, check whether the buyer can meet the same compliance standards outlined in your privacy policy.

Your responsibility for your customers’ privacy doesn’t end with the sale: you will need to ensure the buyer can uphold the privacy policy that the business is legally bound by. For example, if the buyer intends to store the transferred data in a new CRM system, do some research to confirm whether that software’s data storage and use of data is compliant with the laws and security standards outlined in your policy.

Depending on the terms of your sale, it may be advisable to document an agreement on how customers data may be collected, used, stored, and secured. Be upfront with the buyer about their privacy obligations and the costs of non-compliance. For some businesses, employing a Data Protection Officer (DPO) is a necessary expense to comply with the GDPR.

When it comes to selling and buying a business, both parties must do their due diligence to avoid getting into a legal rigmarole. Having a clear privacy policy is key to making any future business transfers as smooth as possible.

Generate a free privacy policy with

Download our free Privacy Policy and Terms of Service templates to start your compliance journey. Create your website privacy policy now.