When buying or selling a business, key issues often arise around intellectual property (IP), information technology (IT) and data protection. These areas of due diligence can be of vital importance to any buyer so in this article we highlight the enquiries you should make in respect of IP, IT and data protection as part of your wider due diligence exercise. It is wise to take specialist legal advice on each of these areas as any vulnerabilities could leave you unable to run the business effectively following completion.
A general overview of key considerations when acquiring or disposing of a business is available here.
Intellectual property covers everything from patents and trade marks owned by (or licensed to) the target, to rights in the materials on the target’s website or the databases they exploit.
It is essential that you establish what IP is necessary to run the target business and ensure that you may continue to use that IP following completion if that is your intention. Specific provisions will need to be included in the sale documents to ensure the transfer of IP rights occurs.
You should start by establishing the following:
• What IP does the company own and/or use? Is it what you expected? If it is not what you expected, consider asking more questions in order to understand the full picture.
• Are the appropriate licences and registrations in place? If not, you may find yourself vulnerable to challenges by third parties.
• What unregistered rights are used?
• Is anything missing that you need in order to run the business?
The IP in the business should be documented to ensure that you know exactly what you are purchasing (and what is excluded, if anything).
Even if you are not acquiring a business in the tech sector, your target is likely to rely on a number of IT contracts which you may wish to take on to ensure business continuity. You may also be looking to retain the existing IT infrastructure. Obviously if it is a tech business, then the IT will be of central importance as both they key assets of the target and to ensure operational continuity.
Whilst carrying out your early enquiries, you should consider:
• What hardware and software is owned and/or used by the business? Is it suitable for your business needs?
• What IT contracts are currently in place? What are there terms?
• Are adequate maintenance and service agreements in place?
As with the IP, it would be sensible to itemise what is being purchased and make a record of all relevant contracts.
Compliance with data protection legislation, and in particular the GDPR, should be at the forefront of your mind when purchasing a business. With massive fines at stake even for historic breaches when purchasing a business, non-compliance is not an option.
You should consider the target’s approach to data protection and assess the level of risk you may be exposed to. A good place to start would be to ensure that you have clarity on the following matters:
• What personal data does the target hold and how do they use it? This will help you understand the nature and extent of the business’s personal data processing activities;
• Are they GDPR compliant? What steps have been taken to date to ensure the business’s compliance with data protection legislation?; and
• Have they had any data protection problems? i.e. whether any claims have been made (or may be pending) in respect of an historic data breach or any issues in responding to any subject access requests.
The above list is by no means definitive of the due diligence needed but should provide you with a useful checklist to start your commercial negotiations and preliminary enquiries. Specific terms should be drafted in the sale/purchase contract in respect of the IP, IT and data protection matters. Where these matters are central to your business interest, you may also need assistance obtaining appropriate warranties and indemnities.