At PrintNext18 Alexander Jute from Marlaw gave a great presentation on GDPR and at PrintNext19 he not only gave an update and status on GDPR but also information that can help you in the valuation of your company.
Thank you very much. Hi, everyone. Good afternoon. Hope you enjoyed your coffee. These two subjects within 30 minutes is the perfect combination to start off.
But, actually, GDPR has more bearing on selling your company than you may think, before we start here. My name is Alexander, I work as a lawyer and partner at Marlaw Law Firm. We are a business law firm, but highly specialized in marketing and intellectual property, and also, of course, regular business law, like for instance selling your company, stuff … so concerning that, and shareholders agreement, and things like that.
The agenda for the 30 minutes is quite short, but it’s trying to give you a recap. What happened last year, from 25th of May last year up until now. There was a lot of fuss, as Magnus told you, about the GDPR and what do we have to do before and after? And can we do some things now and wait on certain things? And what are the guidelines here?
So, I will give you a brief overview of what is Datainspektionen, in Sweden, the Swedish data board. The authority that us surveilling that you are adhering to the regulation. I will give you a few examples on ongoing investigations in Sweden, and what you may or may not learn from that. And, some broader picture of what is going on within the EU, as well.
Then, the second part is a bit shorter in the end, but it’s about selling your company, how to value your company, and there are different methods. I will give you just a few examples because we don’t have time to go through them in detail, of course, but …
And also, some tapes on how you may increase the value of your company, not only from a legal perspective, but also from a business perspective. Okay, and also, if you got any questions, please feel free to stop me at any time, and I will try to answer them.
So, the deadline. I don’t know how many of you were like … not in shock, but quite stressed closer to last year, 25th of May, but … All these headlines, like, “Are you ready for the GDPR?” And, “What is happening? Have you got full control?”
And most companies answer like, “We are not sure,” or, “Yeah, we have full control,” and the companies answering, “We have full control,” were probably not in full control, but at least that gives you an idea of how big the scope was within the EU.
So, all of the members state … But not only in EU, also American companies having business here in Europe where like heavily affected, and some of them decided to discontinue its operations in Europe, so it has had some side effects, this GDPR, of course.
And then, 25th of May happened, and suddenly what happened on 26th? Was it like the millennium bug? It was nothing, or what is happening, really? But, there have been a lot of comparisons between the GDPR and the millennium bug, but the problem with the millennium bug …
The problem with the GDPR is that it will continue, and it’s … it’s evaluating every year that you have to increase your work with the GDPR, rather than the millennium bug that you could, “Okay, it was nothing,” but GDPR will be with us for quite some time ahead.
More in detail, the Swedish national legislation was buried, and the GDPR is now applicable within all member states, so we don’t have to go to the national legislation in any member state anymore. We have the same framework here, the legal framework.
And, that means that all processing, also the processing that you’ve been doing previously, but still perhaps storing personal data somewhere, over time is of course … the GDPR is applicable on that processing, as well.
So, in that respect, it’s retroactively, as well. The article 29 working party was like the data inspection but in all of the members. They were like given advice on how to interpret the previous directive.
That is also buried, and now we got the European Data Protection Board, that will give the companies and the authorities within the Union guidelines on how to work with the GDPR on certain topics, but this will of course take many years before they have given you any guidance on the specific question that you’re interested in. But, they’re at least working on it.
The data inspection in Sweden … they had some problems in the beginning. At least, they managed to launch a new website, and the … But the problem was that they deleted all the old links to the useful information that were presented, so a lot of companies were like really stressed out on how to achieve information on what is happening concerning the GDPR.
But, that is history now, and now, what are the propelling factors that motivates companies to adhere to this new regulation? Of course, you all heard about the risk of fear of sanctions, but also the consent panic. Many businesses interpreted GDPR, that it was equal to having to get consent from everyone that you are processing data about; but that is, of course, not the case.
There are six legal grounds on when it’s allowed to process personal data, and probably many of you have experienced this flood of terms and conditions that were updated close to the 25th of May. At least, my inbox was full like, “Oh, we really respect your integrity, but we have updated our terms and conditions here, and please click accept, or consent, or similar on our new terms and conditions.”
That is also, in part, somewhat a misinterpretation on what you really have to do. And then, all of these data processing agreements. You probably all have managed to go through tens of them, at least, the last year, I would assume. That is also one of the propelling factors on why companies were having to deal with all of this new regulation.
Immediately on the 25th of May, there’s a group called None of Your Business. It’s a non-governmental organization, and they reported Google, Instagram, WhatsApp and Facebook to different authorities within the Union, and they mean that …
They claim that all of these social media platforms, including Google, are using forced consents. They give you this long terms and conditions that you can only accept or not accept, and if you don’t accept it, you cannot use the service at all.
And, that is in conflict with the GDP regulation, because it has to say that … You should not collect more, for instance, personal data than is absolutely necessary to provide your service, and they are obtaining all of this information about you, and your location data, and everything.
Maybe you’re not immediately affected by this, but I think most of the companies are using Google in some sense. Google Analytics, or Google AdWords, et cetera. That is also collecting personal data all the time, so this will be interesting to follow up on.
The reports were handed in on 25th of May by this organization, to the authorities within these countries, but I think they will have to … at least one or two more years before they come up with a verdict, so to speak, that it would be … possible to appeal to the courts.
In Sweden, what is happening? The Swedish Data Protection Authority, Datainspektionen, their first review … I think most of you read about it in the media, was concerning data protection officers. If you’re an authority or a company that is processing a lot of personal data, you have to have data protection officers.
And, they reviewed over 412 companies or entities that were also authorities within these, and asked if they had provided the entity with a data protection officer, or not, and if they had not reported the data protection officer to the Datainspektionen, they wondered, what was the reason for that?
So, 66 entities were investigated more closely, and … Oh, I’m sorry. And, it ended up with only giving you a harsh warning, that, “Okay, you failed to provide us with the information about data protection officer, but if you do it again, we will impose a fine on you; but this time, we will leave it at just a clear warning.”
That was the first review from Datainspektionen, and at the moment, they have a few ongoing matters. One is against Google. Google is using location data, and processing it in conflict with GDPR, is the position of the reporter.
And Datainspektionen is looking into that, and Google has just recently provided an answer to Datainspektionen, which we will have to follow up on. But the problem here, I think, for Google, is that they have all of these long terms and conditions on how they use personal data, that it’s not like possible for a regular person to navigate through, and to understand what is actually happening with your personal data. So, I think it’s a bit uphill battle for Google, but we’ll see what happens.
The next open case was a big thing in the media here in Sweden, as well. It was a health service provided by the authorities here in Sweden, so you can call in and get health recommendations, and health issues discussed with a nurse or a doctor.
One of the suppliers to this authority was a call center, and somehow, all of these calls were recorded, and also publicly available on a website. So, you can actually listen to the people calling in, and that is of course, really sensitive data people are providing. A lot of information about their health status, et cetera.
So, Datainspektionen has decided to open a case and see what were the mistakes here, and why was this possible to happen, and also what has this authority done to minimize the risk of personal data coming in the wrong hands?
The next thing they’re doing is they are leading a work on guidelines regarding data processor, and data controllers. The ones who are in control of the data, and if they’re using sub-suppliers, the relationships there between, because the new IT systems that we’re using today are quite difficult to sometimes understand.
Who is the controller, and who is the processor, and it can it be vice versa in some cases? Et cetera. So, they are trying to provide guidelines here, within the upcoming year.
What is next in the future for the Swedish Data Protection Board is that they will inform, and also impose on companies to provide information on what legal grounds they are basing their personal data processing on.
For instance, a lot of companies are relying on consent as a legal ground, but that is … often problematic, because the consent has this strict legal criteria on … It must be like optional, it must be clear, and informative in a certain way.
So, many of these consents that you have probably consented to would not constitute a consent, in the meaning of the GDPR, at least. And then, you don’t have a legal ground, and then you have to look at, “What other legal grounds may we use instead?” So, they will hopefully give some advice on this later on.
As I mentioned, they are also discussing the difference between the controllers and the processors, and the difficulties with the IT systems of today is that the personal data is in the cloud, for instance, and between many suppliers at the same time, and who is actually controlling the personal data?
And then, they will follow up on this first review regarding the data protection officers, the DPOs. What happened with the matter, and have these entities that were reviewed in the first place, have they now provided a data protection officer, or not?
Looking into what is happening in the rest of Europe, we only have to go to Denmark to see that the first fine that were imposed here was a taxi company that the Danish authority, Datatilsynet found was insufficient in its data minimization.
They used more data than was really necessary to provide its services. They stored names of all their customers for up to 10 years, and they only deleted the names after 10 years. After 10 years, they still stored additional data, like phone numbers and for instance credit card numbers; and that, of course, you know, could also be regarded as personal data.
They didn’t use sufficient anonymization. It was possible to easily get access of who their customers were, and all these long lists. And also, phone numbers they stored for up to 15 years, which the Datatilsynet found was not motivated by its service.
And, the taxi company said that, “We need this for the administrative purpose that we use in our business,” but the Datatilsynet found that it was not okay. So, they imposed a fine of 1.2 million Danish Kroner.
Another case is from Portugal, where it was a hospital who committed several breaches. The Portuguese authority found that it was insufficient authorization models, too many people had access to all of the patients’ data, for instance.
You should, of course, use it … like only the ones that are strictly needed in their day-to-day work should have access to it, not all of the employees in the hospital. The security measures within the IT system were not implemented, as they had informed, the authority.
It was also not able to maintain data protection over time, the Portuguese authority found, so they imposed a fine on €400,000, and it was quite … in comparison with that hospital, it was quite a small hospital, so it was quite a hefty fine for them.
Perhaps some of you have read that Google in France has already been fined with €50,000 … €50 million, sorry. And that was regarding their Android units, the operating system within Android phones. And there, the authorities found … CNIL is the equivalent to Datainspektionen, but in France.
They found that the information was not easily accessible. I mean, the regular customers could not like navigate through the terms and conditions, and found how the personal data is handled and where it is shared, and how it is shared, and how it’s collected.
The information was not clear and concise, and the description of the purpose of the processing was too vague, the CNIL found. So, it has to be a clear purpose, and it has to be described very precisely.
It was also unclear that the consent was the legal ground for personalized marketing, and also, the storage period was not defined for some of the processing that they were doing, and that, of course, was lacking information there regarding the GDPR’s requirements.
And, the next big thing is of course we’re waiting for a case law from the European Court of Justice, and that will take some time, of course. For instance, this Google case. Google will of course appeal this to the France … the courts in France, and then they will have to let the case go to the European Court of Justice before we know for sure how all these requirements should be interpreted.
So, very briefly, in the end, the GDPR is not like a one-stop shop, so to speak. It’s not you’ve done it once, and now you’re prepared for the rest of the future. It’s like you have to evaluate the project.
What flows do we have in our IT systems? For instance. What do we need to adjust? And also, all of these policies that you probably updated before 25th of May. What is happening? Are they still like reflecting how we are handling personal data? Or, are we … I don’t know, processing new personal data, or having new suppliers that we’re sharing our data with? Et cetera. So, they should be regarded as living documents, so it’s like an ongoing work.
And, of course, keep up the dialogue within your organization about the personal data, and try to think about the GDPR when you start new projects. How is GDPR going to affect this new business opportunity? For instance.
And also, all the new agreements that you enter into. Are they fulfilling the requirements within the GDPR? So, you should not look at GDPR as like, “Okay, 25th of May has passed. Wow, we made it.”
So, we still get a lot of questions, of course, regarding this. And, just a few slides here in the end, and now I try to also connect GDPR with how to value your company. Because there are many, of course, different ways to value your company, I just have four quite famous, and well-used methods here; and I will just briefly go through them.
The first one is the profit multiplier, also known as PE ratio. Price to earnings ratio, probably most of you heard about it, but I’ll just give you a short example. The value of the business is calculated by multiplying its profit.
So, for instance, if your company makes a net profit of one million for each year, and you use a multiple like four, then the value of the business would be calculated as four times one million, that is four million, of course.
From the potential buyer’s perspective, or viewpoint, this means that as long as the business continue to make the same profit for over these four years, roughly one million then, so after four years, they will get the full return on their investments, and after that, they will make more money.
And the problem here is to determine to multiplier. For a small business, it’s usually between three and four; and for bigger companies, or larger, publicly-traded companies, it could be like seven, up to 12, and even more, depending on what company we’re talking about.
The next one is the asset valuation, and that is frequently used when there’s a company that is maybe not making long-term generating capabilities, or at least they are limited. So, then you try to like add up all of their assets in the company, including all equipment and inventory, and subtract any debts or liabilities.
And, if everything in the business was sold, and all debts were paid, this will be the value you achieve. You will then be left with a book value, you can say. But, applying asset valuations is generally more realistic if your company has a large number of assets; and, of course, as I mentioned, its long-term revenue are limited.
Then, there are comparables, and a common valuation method is to look at a comparable company that was sold recently, or a similar business with known purchasing value. For example, office and home security companies typically trade at double the monetary value, and accounting firms trade at one-time gross recurring fees.
And there’s, of course, a last one that we just mentioned. It’s a bit more complex formula, but it’s discounted cashflow method. It’s quite similar to the first one, but the main difference between the discounted cashflow, and the profit multiplier is that it takes inflation into consideration, to calculate the present value.
Of course, there are more methods that you can use, but it’s just to give you an example. Now, more concrete tapes here is … You should try to sell the future. What will your company be worth for the buyer in the future?
So, to maximize the value for your company, you should not only base it on the current situation, or your previously … but also on the upcoming years. For instance, it would be new owners, new activities, and also synergy effects when buying another company.
And, you should try to present a business plan for these synergies … for the possible buyer, so that they can evaluate, “Okay, this seems like a possible scenario, at least, what you have made in your business plan.”
Some other parameters is, of course, that affects the value, is the quality and size of the customer base. For instance, if you’ve got certain, exceptionally attractive customers, and of course the intellectual property, do you have any important licensing agreements or patent that you are using?
And of course, compliance. For instance, the GDPR. Are you selling legal risk, or are you compliant with the GDPR? Are you compliant with the tax regulation? Et cetera. That, of course, increases the value on the company when you’re selling. Or, we are not aware of if we fulfill the requirements for the GDPR, of course … Then, the buyer, of course, tends to give you a lower bid.
Is your staff skilled and experienced? And the trademarks? Are there certain values on the trademark, or have you a certain position that it makes you more attractive? Are you active on a growing market, or a decreasing market? Are you about to launch new services or products? And, have you got steady income through long-term agreement?
Of course, you have to go through all of these agreements. And are there any unique selling points? For instance, you are the only company within the business industry that is using a certain technique, or have a certain product, et cetera, et cetera.
Just short tips here in the end, but thank you very much, and hopefully you’ve got some questions for me.