Data Protection Due Diligence

Overview

Castlebridge was asked by advisors working for a large investment company to carry out an extensive data protection due diligence on a large property acquisition in the commercial retail market.

The Pain Point

A large investor was engaging in a multi-million euro transaction to acquire a high-profile commercial retail complex in Ireland. They had identified a need to ensure there were no data protection compliance issues that might negatively impact on the potential new owners of the complex. Getting that done quickly, rigorously, and independently of the transaction team was a critical issue.

How We Helped

We carried out an extensive review of the data processing and data protection governance in the multi-tenant shopping and entertainment complex. This included reviewing the policies and procedures around processing of CCTV and other personal data, and ensuring that there was clarity on Controller, Processor, and Joint Controller relationships between the complex owners, day-to-day complex management, and the individual retailers and other outlets who were tenants of the complex. It also included physical inspections of CCTV cameras and other data processing activities in the complex.

In doing this we drew on our experience advising a large high-street retail department store group and applied a structured taxonomy model to help tease out the relationships and establish whether appropriate controls and governance documentation were in place.

We then developed a data protection compliance risk register for the complex, and presented a set of recommendations for improvement of controls to ensure those risks were appropriately mitigated before the commercial transaction proceeded.

The Outcome

The risks identified were addressed and the multi-million euro commercial transaction proceeded.