Intellectual property and data protection considerations when selling a business

When and why to prepare for sale

As an entrepreneur, ones’ number one focus is the success of the endeavour. It’s important, however, to keep one eye on the future and eventual succession or exit.

Sales processes can be arduous and time-consuming. It can take many months or years to find a buyer and as much time to complete the sale, but getting the business in order can help to significantly move the process along.

Buyers like transparency, order, and a problem free acquisition. An early review and tidy up of the business’ affairs could result in the business becoming more attractive to more potential buyers. Ultimately, this can achieve a higher sale price.

In addition, identifying and rectifying issues early makes for a quicker and smoother sale process. This could save significant legal and other advisory fees, and also limit future liability by exposing the seller to fewer risks (i.e. warranties and indemnities) in the sale documentation.

How to prepare for sale

All parts of a business attract attention and scrutiny on sale. This article focusses on intellectual property and data protection matters – which can be pivotal in impacting the value of the business when bringing it to market.

Intellectual Property (IP) when selling a business

Intellectual property can be amongst the most valuable assets a business owns. Lack of intellectual property protection can reduce the worth of a business and/or even jeopardize a sale. Intellectual property encompasses various intangible assets, broadly categorized into:

Trademarks – e.g. of logos, symbols, names, or signs which identify the business’ products or services. Trademarks are obtained to prevent others from using them or ones which are confusingly similar;

Copyrights – e.g. of creative works like written, visual or audio content. Copyright protection makes sure the original creator has the exclusive right to the work;

Patents – e.g. of innovations. Patents are obtained to make sure the inventor has exclusive rights to the innovation; and

Trade secrets – e.g. of special know how or methodology which creates a unique or optimal product or service. Protection of trade secrets is vital in ensuring the company retains confidentiality over that information.

Because of how important these items can be to the business, buyers will thoroughly investigate whether the relevant IP is properly owned by the company. It is therefore crucial to make sure each piece of IP is registered as it should be and that records are up-to-date.

If this is not properly done, there could be a risk of IP infringement. Namely, a third party could take the business’ IP and use it without permission. Alternatively, a third party could claim that the IP the business is using is actually theirs, or too confusingly similar to theirs. This could expose the business to expensive court battles, and so a seller might consider taking out IP insurance to ensure any potential claims can be pursued or defended.

If there are any ongoing IP disputes or other issues relating to IP, these would ideally be fixed prior to sale negotiations. However, if that is not possible, it is always good to ensure there is a clear audit trail for the new owner to pick up on post completion.

Data when selling a business

There are a few key pieces of legislation that apply to data. These are the UK General Data Protection Regulation (“UK GDPR”) which sits alongside the Data Protection Act 2018 and the Privacy Electronic Communications Regulations (EC Directive) 2003. If a business has links to the EU, then the EU General Data Protection Regulation may apply as well.

The main type of data captured by the above laws is personal data. This is essentially any personal information relating to an identified or identifiable person. For a business, it is usually the personal data of employees, customers, or suppliers.

Keeping on top of data protection matters is crucial because there can be significant consequences for businesses who fail to comply. These could be investigations by the regulator, reputational damage and/or monetary fines.

The main things for a business to get in order are:

Registration with the Information Commissioner's Office (ICO) – any organisation that processes personal data needs to register with, and pay a data protection fee to, the ICO. There are some exemptions, and there is lots of information on the ICO’s website to help businesses determine whether any might apply;

General policies and procedures – these help to ensure personal data is handled properly in the day to day running of the business, and are evidence of proper governance in the run-up to a sale;

Privacy notices – these should appear wherever personal data is processed, detailing what data is processed and how it will be used – for example on a website, if that website is collecting personal data;

Data processing agreements – these should be entered into where someone is processing personal data on behalf of a controller. This is usually relevant for external IT providers, help desks or payroll providers, where the business is the controller of the data and the third party processes the data on their behalf;

Transfers outside UK or EEA – these are generally prohibited under the UK GDPR, when the subject of the transfer is personal data and where it is being transferred outside the UK or the EEA. It is best to be aware of this general prohibition and to make sure that measures are in place to prevent such transfers unless they can be properly managed in compliance with the UK GDPR; and

Mandatory records – the following are required and should be kept up to date:

• Processing activity records – stating where and how the data is collected, processed, stored and deleted;
• Data breach records – stating when the breach occurred, who it involved, what data was the subject, its impact and how it was dealt with; and
• Data retention records – to make sure data is not stored for longer than necessary.

Of course, when disclosing information about a business to the buyer, the seller should be aware, and protective, of the personal data being shared. Most transactions involve a virtual data room, which makes the process easier, because VDRs usually come with a good level of security - though this should be checked. The seller should also redact certain sensitive information e.g. employee medical information and put in place data processing agreements and confidentiality agreements ahead of disclosure.

The good news is, the burden of protecting personal data does not fall solely on the seller. The ICO specifically requires that the protection of personal data must be considered by both parties to a merger or acquisition as part of any due diligence process. Therefore, the buyer should co-operate with the seller as regards protecting sensitive data during the sale process.

Closing note

Although there is lots to think about when selling a business, getting the business’ ‘house in order’ early should ease the process. If you have any questions or would like any advice regarding your intellectual property or data protection practices, contact our expert team today at [email protected].