Understanding the potential pitfalls ahead of time can save time and costs in the long run, as we explain below.
The key to getting to grips with the data protection compliance of an organisation is understanding what personal data they have, and what they are doing with it. If the charity has any form of data/information asset audit or map, this should give a helpful overview. If no such documentation exists, then privacy notices can also help, as these should cover all the types of data that the charity holds, and will tell you how they deal with it.
Once you understand the types of data held and what it is being used for, you can identify the key risk areas, and focus your due diligence on those areas. For example, if the charity sends lots of information outside of the EEA, you may want to see details of the safeguards adopted, and any contracts that are in place relating to this data. Or, if the charity collects and uses a lot of special category personal data, you may want to look more closely at their security measures, and their legal basis for this.
Another useful tool in understanding risk (and potentially cost post-merger), is the breach register, and details of any individuals who have exercised their data protection rights. The breach register (which is a required document), will tell you what types of breaches the charity has experienced, and whether these have been reported to the ICO. A number of low level breaches by the same department may indicate a need for training. A blank register may also suggest a lack of reporting - rather than a lack of breaches - which could be a cultural issue that may need addressing down the line.
The documentation itself is also important. There is a legal obligation to be accountable for data protection, and to demonstrate compliance. This is partly achieved through having a range of policies and procedures - some of which will be legally required. A lack of policies is likely to need rectifying, and could come at a significant cost to the merged entity if a culture change is required.
Another area often overlooked is data sharing. Some types of data sharing will require a written agreement in place, and if the agreement is not in place, the charity may have an increased liability in the event of an issue with the third party. Knowing when contracts are needed, and identifying any gaps will help assess the potential risk, as well as potential costs post-merger to get the new organisation back on track.
At the due diligence stage, it can also help to think about how the two organisations can lawfully share personal data with the merged entity. Particularly if beneficiary details or mailing lists are going to be crucial going forward. A small change to existing privacy notices at this stage can potentially save difficulties down the line. There may also be some data that you are unable to share without taking further steps, such as getting consent. Again, an understanding of this as early as possible will help with future planning.
As with so many areas, knowledge is power in data protection terms. A lack of compliance may not be a reason to halt the merger, but a solid understanding of measures that might need to be taken post-merger (and the risks of these), will help the new organisation plan for the future.
Our upcoming webinar, 'Charity Mergers - A Look Behind the Legal Process', will give practical tips to trustees, chief executives, and finance directors (as well as other stakeholders) on the merger process, and improve knowledge and understanding on the topic to assist charities in making strategic decisions in the interests of their beneficiaries. Book your free place today.