Podcasts
The Road to Profit: Maximising Business Valuation with Data Protection with Erika Moralez-Perez
Erika Moralez-Perez‘s journey into the world of data protection began with her extensive background in IT sales within large corporate environments. She found herself on the other side of the table, transitioning from a business manager to a second career lawyer. This shift provided her with a unique perspective on the importance of personal data protection for businesses. She saw firsthand that even though GDPR had been around since 1998, it wasn’t until 2018 that businesses really started to pay attention to data protection. She realised that personal data was not just about the law; it was about the commercial implications of the law. Using her extensive business acumen, Erika has turned the seemingly complex and onerous process of data protection into a beneficial asset for her clients. She thoroughly understands the importance of safeguarding data and the potential for severe financial and reputational damage if businesses fail to comply with data regulations.
In this episode, you will be able to:
- Gain valuable strategies to shield your small enterprise through optimal data protection.
- Realise the less-known influence of data protection in improving your business value.
- Be exposed to the crucial function of audits in reinforcing strict adherence to data protection provisions.
- Be enlightened on top-notch strategies for data protection and staying updated on compliance laws.
- Absorb the significance of designing systematic data protection processes and assigning clear-cut responsibilities.
**Data Collection in SMEs.**
The first thing you might ask is, ‘Why is data collection important for a small to medium-sized enterprise (SME)?’ Well, the answer is as simple as it is significant: because most SMEs work with third-party providers who also handle personal data. This means, whether the company is big or small, understanding the kind of data being gathered, its intended use and how it’s safeguarded is crucial. But let’s not skip over Erika’s insights here. She explains how data collection and protection is not just an ‘uh-oh’ for large corporations but also for smaller businesses. Size doesn’t matter here. All you need is to know and do the right things when it comes to data; be it your employee’s or your customers’.
**Evolution of Data Protection Laws.**
The thing about data protection is that it’s not a new kid on the block. In fact, data protection laws have been around since 1998. But of course, with all the advancements in technology, there’s been a rise in attention and changes, like the General Data Protection Regulation (GDPR) that came into play in 2018. With laws in place to protect data and hefty fines for breaches, it’s crucial for businesses to keep up with these regulations. From Erika’s viewpoint, she highlights how data protection laws have a history but recent regulations like the GDPR have ramped up the focus on data protection. It’s not just about compliancy. It’s also about understanding what data you’re collecting, how you use it and whether it has a legit purpose. Makes sense, right?
**Impact on Business Valuation.**
Now, this is the bit that should really pique your interest. If you handle data effectively, your business valuation could shoot up. Data protection measures can actually boost your business’s value. Contrarily, problems like breaches, fines, or past investigative actions can cause potential investors to knock down your business’s value. Again, Erika shines a light on the link between data practices and business valuation. Essentially, effective data protection can be a significant factor when it comes to exit strategies and due diligence. It’s not just about ticking a box; it’s a opportunity to show buyers the gold in your business. The bottom line – data protection isn’t just a legal must-do, it’s a smart business move. Good data protection equals good business sense. And even better for your business’s valuation.
Listen to the podcast here:
Welcome to the podcast that’s dedicated to helping business owners prepare for exit so you can maximise value and exit on your terms. This is the exit insights podcast presented by succession plus I’m Darryl Bates-Brownsword, and today I’m talking to Erika Morales Perez. Thanks for joining us, Erika, and welcome to the show.
Thank you so much for having me. It’s a pleasure to be here.
So, Erika, tell us what’s your background we’re talking today? You’re a lawyer. You’re a lawyer with not just only legal expertise I was going to say you’ve had a proper job before, but you’ve got career before becoming a lawyer. But the reason that our preamble conversation is that we’re going to have a chat around data protection and in SMEs, how we can increase our valuation and what’s important to us about we’ve got all these GDPR and data protection laws that have come in and confused a whole lot of people over the last few years. You’re going to bring all that to life and help us to make sense of it and why it’s important of how we protect our data and what we have to protect and how and what and why and maybe and over to you. Tell us about a bit of background and why you yeah, absolutely.
Yeah, absolutely. That’s exactly what I’m going to talk to you about today. So I’m going to make it all nice and clear for everybody, all of the listeners here, on how and what they should be doing with their data. But my background, you’re absolutely right. I’m a second career lawyer, so I spent ten years in It sales as a business manager, working for corporates, actually. So I’ve got lots of business experience managing very big pieces of business within corporates. So I’ve been on the other side of the table, Darryl, which makes being a lawyer really interesting, because I have my own experience of dealing with lawyers, which, may I say, wasn’t always as straightforward as I would have liked it to be. And so I very much focus in my firm on delivering legal services that really hit the button and really give clients what they need and help them in business. So both myself and all of my lawyers bring a lot of business acumen to the party, which I believe when you’re advising on business, law is really important because it’s not just about law, it’s about the commerciality of the law that’s applicable as well.
Yeah, wonderful. Let’s face it, we want lawyers because they’re there to cover our butts and protect us at all costs, aren’t they? And sometimes what I think what you’re saying is, yes, that’s exactly what we do and that’s exactly what we want them to do, and we want them to balance that with a bit of commercial reality. And we don’t want to stop deals or stop things from happening just because there’s a risk. We need to manage and mitigate risks. And as business owners, there’s always going to be some risk there. So we’re talking about the risk of data or data. What are we talking about here? Why don’t we even go back a step and just go look, a few years ago now, data protection, GDPR came in, and there’s a whole lot of fear around it. It’s kind of like one of those things, dare I say, it has become a blanket excuse for not doing stuff. And just like a bit like health and safety has become and you get a whole lot of, well, we can’t do that for health and safety. What specifically is the issue that’s stopping you from doing that? So why don’t we, in layman’s terms, especially for me, what is the essence of these data protection laws? And what is it we need to protect ourselves and our clients and contact data as well?
Yeah, let’s go back quite a few years. Let’s go back 30 years, even a little bit further. So 1998, the original piece of legislation came in to protect personal data. So it’s been around a really long time. The thing was, until 2018, nobody really cared much about data. The reality is that the 2018 law that we know as GDPR didn’t change an awful lot from the 1998 piece of law. What it did change is our view and our perception of personal data and what we did with it and how we processed it as businesses. So what I always ask people to think about is, what are you happy with someone doing with your data? How much of your data are you willing to freely give somebody, and what will you be happy for them to do with it? And that’s how we have to think about personal data processing as businesses. It is something that’s absolutely essential. We do have to comply with law. And I love your analogy, your example of health and safety. I would analogise it with human rights in that they seem like a real pain in the neck, these human rights for everybody, unless you need to rely on them and, oh my goodness, then they’re super important, and then you’re absolutely 1 million% grateful that they exist. And data is actually very similar. We feel like we have to do a lot because we are compelled by law to do a lot, but actually, if we use it to our advantage, it can be really beneficial. And when you break it down, it’s probably not as onerous as it might have seemed on the face of it.
Yeah. Okay, so in layman’s terms, for most SME business owners and the sort of people we’re talking to are those businesses that are typically in the ten to 200 people mark. So by all measures, they’re small and medium businesses. They’ve all got online accounting systems where they’re collecting client and customer data. They’ve probably got online CRM systems where they’ve got more customer and online data stored online they’re probably using things like Outlook, Gmail, an email app, and just collecting contact records just because they’re emailing backwards and forwards. Is that what we’re talking about here? Or is there something bigger in the world of data that we’re supposedly collecting and shouldn’t be saving?
Well, that’s a really great question, and that’s the first question that I ask every single client, because what we need to know as a business, as individual businesses, we need to know what data we’re collecting and what we’re doing with it. So, yes, we’re absolutely talking about these third parties, because I have somebody who does my payroll for me. I use a piece of accounting software. I have an outsourced It provider. All of these people are touching the data that I collect as a business, but it really starts for everybody with what are we collecting? And that’s who it applies to. You mentioned their businesses from ten to 200 employees. It actually applies to every single business, even if you only have one employee.
I only care about our market. I don’t care.
Of course, but yes, it absolutely applies to that segment of the market and in a huge way, because they will be collecting data on their employees. So we’ve cross referenced a couple of things here already in our chat in that we’ve said, okay, so we’re using a payroll provider. So that’s processing data of my employees. And I am an employee of my business as well, so I fall into that category. And then my It provider, he deals with my email security, so he may have access to some of my client data as well. He also hosts my SharePoint, which is where I manage all of my case files, and he backs that up for me. So, again, he has some access to some personal data within those files. So it’s about really holistically looking at the whole picture of what you’re collecting. And of course, I mean, historically, as business owners, as businesses, we would have collected as much data as we possibly could, as much personal data inside leg measurements, everything, because one day we might just need it. And now the law says, well, hey, hang on a second. Really think about why you’re collecting data. Really think about what you’re collecting with that purpose in mind, and only collect that. And it’s really important that we’re thinking about that as businesses as well, because it’s very easy to take notes of stuff that you don’t need as a business.
Yeah, okay, so we’re talking about all the day to day stuff, data that we’re using as business to connect with not only our clients, but I guess we’ve got data of people who are just in our network, and we may have acquired their email address. I’m thinking through LinkedIn as well. You connect with someone on LinkedIn, you’re not necessarily a client, but you can now get their email address and potentially their phone number. And what have you, and you’re now storing that data on LinkedIn effectively as your own database. So is that included?
So yes and no. I mean, LinkedIn is a third party, essentially. You’re not actually taking data and putting it into LinkedIn outside of your own so yes, it’s included so far as when you sign up to have a LinkedIn account, Darryl, you’re going to input your details, you’re going to input some personal information about yourself. And as you do that, you’re consenting to that data being used in a certain way. And obviously you can set parameters around that application of how much you want to be seen by which individuals. So you’ve got some safety around that. So LinkedIn is an application, let’s say, or a piece of software that makes things quite easy because they set it out really clearly and you have to agree to give that information up front before you can have your account.
Okay, so we’ve got an understanding of the sort of data that’s included that we need to be sensitive of and save it and back it up and protect it and just make sure we’ve only got the information that we really need and we want to use that, we’ve acquired it legitimately and what have you. Now, why is this important or how is this important when a business owner is starting to think about exiting their business potentially, and they’re going, hey, look, I want to maximise the value of my business, how could they get unstuck through? And I guess primarily when someone else comes snooping around and doing some due diligence, when they reach that phase, what impact is it going to have on their valuation? Ultimately?
Yeah, absolutely. Well, it can have an upside and it can have a downside. So, as you rightly say, this all comes out in due diligence. So when you have your exit strategy and somebody comes along and says, I want to buy your business, for example, they will look at what you are doing with data. Data is such an important and valuable asset now within a business jigsaw, that’s a big part of due diligence, as I’m sure you will have experienced. So what they’ll do, what this person or this organisation who’s coming to have a look around and look under the bonnet of your business, they’ll look at, do you have any claims against you in relation to data? Have you had any subject access requests, have you replied to them, have you complied, have you had fines, have you had investigations, have you had audits? And all of that, depending on what the answer is to all of those questions, can negatively impact the valuation of your business. Conversely, however, if you’re in tip top condition in that regard, that can increase the value of your business because that data could be such an asset to the business. And if you have really good structures and building blocks in place to ensure that you’re protecting that data and using it to its maximum potential, then that can increase the potential valuation of the business as well.
Okay, so you mentioned some big scary words there, potentially, for some business owners around compliance with the requirements being policed audits and fines. What would someone be fined for, or what would trigger an audit or an audit of it, or how is it even policed?
Yeah. Okay, so we’ll take each question in turn, but actually starting from the bottom. So it’s policed by in the UK, it’s policed by the Information Commissioner’s Office, the ICO, and they are the regulatory authority in the UK. There are local jurisdiction regulatory authorities all around the world. And as you know, some jurisdictions, some countries have their own laws as well. GDPR covers the whole of Europe. And after Brexit, something that we don’t talk about anymore, because COVID kind of overtook it in importance, we entrench. So we took EU GDPR and we made that UK law, and we call it UK GDPR. So when we talk about GDPR, it’s kind of all encompassing. But our regulator here in the UK is the ICO. They have the ability to compel businesses to do things in relation to their data, be it put a particular process in place, and indeed, they can fine you. So a fine might be triggered because you have breached a rule in some way, a data protection law, and that might be because you’ve disclosed information and it’s been unlawfully disclosed in such a way that could have been prevented, and therefore you are deemed to be at fault. And unfortunately, it’s not like when you commit a crime and you go to court and you are assessed on evidence as such, and then you might receive a parking fine, or in the same way that you might receive a speeding fine, that this is assessed on evidence. The ICO have the ability to assess the evidence that they have at their disposal in relation to any particular breach, and they can then issue the fine. And although there are some guidelines around how fines should be issued by the ICO, it’s arbitrary. So there isn’t a hard and fast rule that says if you breach to this level, you’ll be fined X, and if you do that, you’ll be fined Y. So it can be costly from a financial perspective, but reputationally, it’s probably more costly. So there’s that element to consider as well. Shall I tell you about audits quickly, which was question number three.
Before you do, can you give us an example of what a breach might look like? Because we can talk about breaches, and I can just imagine someone sitting listening to this and going, okay, well, there’s some sort of random value of fine that might be applied. If I breach, what would a breach look like? What would I do or not do that constitutes a breach?
Yeah, a really simple example that is very plausible for any of our businesses. And might I add here that even the Pentagon has been hacked, so anything is possible. Sadly, there are very sophisticated systems and organisations and sophisticated minds out there that can potentially cause damage to our businesses. So the risk is real. A really simple example, small local business client of mine, they actually install carpets. They’re a third generation carpet installers. They’ve got quite a sizable team. They fit within that ten to 200 employee realm that we’re talking about here. Phoned me up one day and they say we got a repeat client, we’ve installed some carpet, we’re going back to do some more. We’ve charged them 3000 pounds, which was the cost. Our email, which was by the way, a hotmail account that they use for their business, basically had been hacked and their client had sent the money to the hacker somewhere in North Africa. And they had to take the view the 3000 pound hit wasn’t a problem for them. They could sustain that from a financial perspective. But he said, Erika, if this gets out, I’m ruined. All my business is word of mouth. People don’t want to hear that their bank information is being sent and being hacked and being accessed by these hackers. So a real example.
So they were hacked, but is there anything that they did or didn’t do that would end up with a breach, with them being fined by the ICO.
So they didn’t end up being fined by good fortune. However, there were a series of steps that they should have been taking, including ensuring that they had the right security measures in place for their email and when they were exchanging bank details and things like that with their clients. So by using just a bog standard Hotmail account that didn’t provide the requisite level of security that is required by data protection laws. So the law says you’ve got to have the correct and adequate technical and organisational measures to fit what you’re doing. And their Hotmail account didn’t really fit.
The bill for that because I’ve heard of, and I’m sure we’ve all heard stories of being hacked and even commercial level emails being hacked. I don’t know if they’re intercepted or how they’ve done it, but I’ve heard of some pretty sophisticated hacks where let’s say invoices have been sent and demands of CFOs and what have you and payments being made for imaginary services offered. And I’m just trying to link between being hacked and sort of being the victim of a hack and commercial being taken that way, and then also linking that back to oh, my God. Not only am I hacked and the financial here have been hacked and no one wants to give away 3000 pounds. But then linking that back to going yes, commercially, from a business savvy perspective, I should have been operating on commercial level email accounts with all the added protection, and I’m sure all the providers have these for business level accounts as opposed to just the free user accounts. But then on top of that, having the ICO or the regulator, depending on where you are in the world, coming in, looking over your shoulder and going, hey Sonny, we heard you’d been hacked. We also want to have a look in and go, well, we want to have kick you up the butt as well because you should have had your house in order and you should have been looking after things properly. Is that what we’re talking about here? Because they’re hacked, they were negligent in the first place and therefore that negligence means that in reality the hacker could have got in and found all of their data or got to all of their data.
Yeah. And with regards to the ICO then stepping in and getting involved, that usually arises out of a complaint being made. So in this particular scenario, we were able to placate the client and we were able to act quickly and respond quickly and therefore it didn’t result in a complaint being made to the ICO. So the ICO do not proactively police the kind of organisations that we’re talking about. They tend to proactively police the bigger organisations, but where a complaint is made, they have an obligation to follow up and investigate. So had this particular customer, client of my clients, gone and complained to the ICO, the ICO would have absolutely had to investigate. And that may have resulted in a different.
If someone is disgruntled to the point where they go, hang on a SEC. This person has used my or put my information at risk or somehow got access to my information and used it in a way that I’m not happy with. They may put in a complaint to the ICO and they then have to follow up commercially and do some sort of policing and then potentially issue a fine. Okay, so that’s fines and policing and how the regulator gets involved, and I assume it’s similar in all countries as well as the UK. I know that they didn’t start it, but what about audits? So how do they work?
Yeah, so audits usually take place and are carried out by our customers. So when you are signing up a new customer, so say you are a SaaS provider, for example, software as a service provider, and you sign up a client, you have a contract with that client and that will typically have some provisions around data. So those data provisions will say you’re going to comply with all these laws in the provision of your SaaS service to us, but also you’re giving us the right to audit you. And in law, the customer has the right to do this as well. We can come and audit you to confirm that you are complying with the provisions of this agreement and the data processing elements of this agreement. So we want to, if there is a breach, or if there is a suspected breach, for example, we have the right to come and look under the bonnet of your business and make sure that in relation to this service that you’re delivering to us, you’re complying. And we want to be able to have the ability to make sure that you’re not only complying, but that you haven’t breached the terms of the agreement in the course of delivering this service. Because if you have, we’re going to send the regulator to you and blame you and not blame ourselves.
So if we haven’t taken the proactive step of using proper, let’s call them commercial and robust systems, even right down to email, because we do, let’s face it, all of our invoicing and commercial emails of contracts and agreements and everything done today is through email. We’re no longer sending it through the post. So even for the smallest business who has a commercial arrangement with someone is using email, you haven’t got the incentive already to use at least a commercial grade email system. Hopefully, you’ve now put the fear into them that that’s absolutely what they should be doing. And it costs, well, it’s not a high cost to comply from an email perspective and use commercial grade systems, which most of them operate internationally anyway. So all these commercial systems in place are pretty secure. What other examples have you got, Erika, around? So if we’re moving beyond email and CRM and finance type systems, what are the typical areas where people may get caught out or may overlook or not consider without experience or knowledge?
Yes, there’s a couple. So it does slightly relate to CRM, but it’s about, for example, how you market to your customers. And that’s a really important element of data protection because you may know that to market to customers, you have to have their consent, it has to be explicit consent, it has to be recorded. You have to know that you’ve got that consent before you’re marketing to them. And I have a client who is actually an estate agent and they had one of their individuals within their business that actually approved a mail shot for something completely unrelated to their business. It was actually in relation to a charity, Coffee Morning, and they approved this individual within the business who was not authorised to do so, approved the mail shot, which went out to 20,000 individual customer contacts, some of which had been what we call suppressed. So that means people who have decided that they don’t want to be contacted for marketing purposes. Now, this isn’t what I would consider a data breach as such because the data had not been compromised, it hadn’t been unlawfully shared, but again, a real example, and it had been done by the individual within the organisation with the best intentions. But the issue lied with the organisation itself and their process because they were using a third party IT provider and the individual who was not authorised within this business gave the authorisation to the external provider and the external provider did it. So the first thing we did was I advised my client, fix your process. Only somebody at director level can give that level of okay, that’s what we did immediately. But for that client, the unfortunate thing was out of those 20,000 individual contacts, two of them work for the ICO. I mean, what are the chances? Again, stuff happens. This stuff happens in real life. It’s unfortunate, but it does happen.
Unfortunately, what’s the harm in that case? It’s pretty negligible, but absolutely.
Could have been a lot worse. Could have been a lot worse.
Absolutely. So you’ve raised something important there. Is there any difference between businesses doing B to B or B to C type handling of data that again, the average man or average person or business owner is just not aware of?
Yeah. So business information is not strictly and directly caught by the act. So where you’re exchanging information in the course of a business, so somebody gives you a business card, you’re okay to contact those individuals. When we then break it down and we’re wanting to send them information at an individual level, then it changes the consumer, the individual, the data subject, all three of those descriptions are one of the same, which it relates to a natural person who has personal data. They are the individuals that are affected and caught by GDPR and data protection law across the globe. So it’s when you are conducting B to C business, the bar is much higher and you have to take much more care over how you approach individuals in terms of what you’re marketing to them, how you process that data. So of course you’ve got a bit of a crossover here because as a business we have these consumer individuals as employees whose data we are collecting and using and processing in the course of them being employed by us. And then we’ve got our business contacts as well and then potentially individuals within those business contacts as well as that. So we tend to take a blanket approach.
Okay, so we’ve covered a fair bit of ground today and I’m just going to try and summarise and see if I’ve captured all of the key points that you’ve shared with us. So, firstly, I think the point that you’ve made is we need to use robust commercial grade systems because we’re just dealing with customers and contact. And it just makes sense to protect the data anyway, because the worst case is. Yes, you’ll have your reputation ruined, and that’s not going to be healthy for the business. But there’s a very real risk of your systems just aren’t as secure and someone can get in. So we need robust commercial grade systems. There’s a lot for business owners to keep abreast of. There’s so many different laws and systems and things they just need to be aware of. So at some point, they need to manage their risk and just make sure they surround themselves with the right sort of professionals who are proactively, keeping them abreast of the risk that they need to be taken care of. We need to look at our systems and processes. We need to make sure that it’s another reason that we want to systemise our business and ensure that everyone knows what they should and shouldn’t be doing and what they can and can’t do and the extent of their responsibilities and ability to make choices. They’re the main ones that I see. And as with everything, we’re risking the valuation because we need to know that if we don’t have these level of security and risk management in place when we do want to exit our business, we’re just vulnerable and we just won’t have the opportunity to maximise the valuation of our business. So what have I missed, Erika? Or is that where we’re at?
Yeah, I think that’s a great summary. It really is an investment. It’s having these processes, having these systems. Everybody thinks of legal advice as an afterthought. You go to a lawyer when you’ve got a problem to fix. I would say prevention is better than the cure. Prevention is the only cure, in fact. And if you want to maximise your bang for your buck when you’re selling your business, putting these systems and processes in place will absolutely do that looking. Understanding what’s under the bonnet of your business is so important. It makes you lean, it makes you mean. It will make you more money, not only whilst you’re trying to achieve your business growth objectives, but at the point of sale as well. Your exit plans will absolutely be maximised by having these things in place.
That’s brilliant. And add us bonus points to the lawyer giving us sound, commercial money revenue making advice as well.
I try my hardest. I aim to please.
That’s brilliant. Hey, look, Erika. Thanks. I really do appreciate your time today and sharing your insights on how we can maximise valuation of our businesses.
Thank you very much.
About Erika Moralez-Perez
Erika is the CEO and a Commercial Solicitor at Iconos Group – Commercial and Corporate Law – GDPR and Data Protection specialists.
Erika is an accomplished corporate and commercial lawyer specialising in business transactions, commercial contracts and data protection. Commended by her clients for first-rate, ongoing commercial advice. Erika has continually succeeded in identifying opportunities and mitigating risk for leading companies throughout her extensive year.
Erika established Iconos Group, a regulated a law firm, in January 2022 after nearly 6 years of practicing as a consultant commercial lawyer and identifying a need for a law firm that not only provides excellent legal advice, but that focusses on client service and business objective. She uniquely combines years of experience in legal practice with nearly a decade in business management in international IT and software companies as well as being an entrepreneur.
If you would like to learn more about how to start preparing your business, then you can get more information here: It All Begins with Insights.
