Your exits are here: how to prepare the IP and data in your business as private equity takes flight (again)

The private equity buyout market appears to be on a road to recovery following an 18-month period of struggle. This resurrection has brought with it a renewed appetite, and in some cases increased pressure, to be part of the upward acquisition trajectory. Now is the ideal time for PE funds to be encouraging their portfolio companies, which they consider to be "disposal ready", to be looking inwards and assessing whether they are "exit ready". If they are not, portfolios should ensure they understand what steps need to be taken to prepare for a smooth sales process. Whether or not the aforementioned sales process materialises, this exercise will serve as an opportunity to ensure the portfolio's house is in order.

To help portfolios on their way, we've set out below some of the key considerations that businesses need to bear in mind from an intellectual property (IP) and data protection perspective in order to assess their readiness, and what steps can be taken to address any issues which might be identified.

Remember that being "exit ready" is more than having an exit strategy in place or identifying the gaps in your documentation which might be flagged in the due diligence process; it can also be hugely helpful to recognise previously unrealised value within the business, and it can even help to spot (and articulate) what you perceive to be new opportunities.

The uncertainty of 2022 / 2023

Much of 2022 and the majority of 2023 saw sponsors hold off on new investments as the cost of debt had dramatically increased and other traditional financing methods were not as readily available. Negotiations between buyers and sellers also became increasingly difficult due to the economic uncertainty, all of which had a significant impact on the number of deals that took place.

With levels of uncertainty so high (and interest rates unlikely to drop significantly for two to three years), funds instead prioritised value creation strategies to ensure that portfolio companies survived the turbulence and came out the other side in a strong position. These value creation strategies ranged from portfolio companies integrating previously acquired bolt-on businesses, identifying, and exploiting new opportunities for growth, shoring up risk and investing in tech to streamlining business operations, (alongside other strategies to reduce the need to borrow).

The recovery in 2024 – will it last?

With inflation falling and interest rate cuts becoming (almost) certain, there was hope in early 2024 that negotiations between buyers and sellers will become easier.

In June, the Bank of England held interest rates at 5.25%, while inflation hit the 2% target. Monetary policy will need to remain restrictive for sufficiently long to return inflation to the 2% target sustainably in the medium term,” the Bank of England’s Monetary Policy Committee stated.

Half year deal count reached the highest point in two years. 162 deals were announced during the first six months of this year with secondary buyouts accounting for just over 30% of buyout activity – this was almost 10% higher than in 2022 and 2023. There are a number of factors which are likely to have contributed to this, not least the uncertainty around the Autumn Budget and the measures that will be implemented by the new Labour government. In addition, historically PE funds have targeted shorter holding periods (typically three-five years), but recent figures indicate that over 40% of portfolio companies had seen an investment period of more than five years, therefore it is possible that there has been increased pressure for funds to sell these longer-held assets.

The question now is, will it last?

Getting "Exit Ready"

Regardless of market conditions, every portfolio company will, at some stage, need to consider its longer-term sales process (and, as above, doing so can be a useful "health check" at any stage of a portfolio's lifecycle). Investing time thinking about this ahead of a sale can result in a more efficient process and potentially, a higher valuation.

For the most part, the key is to take a step back and look "inwards" – ultimately as part of any legal due diligence process your business will be put under the microscope. Identifying, and addressing, any potential issues will be very important, but you will also want to ensure that you are not leaving any value "on the table".

IP points to consider

From an IP perspective, it's fundamentally important to understand what IP the business needs to operate, whether it is material to the business (i.e. can it be easily replaced), who owns it and on what basis the business has a right to use it:

Identify the key IP in the business

This is likely to vary from business to business, and will depend, in part, on what industry the portfolio operates in. IP that is considered "material" will be a valuable asset and being able to articulate what this is (and how it is used) will therefore be important. One way to address this is by way of an "IP audit". Material IP could be copyright in proprietary software; an exclusive right to use third party material, the business's name, and branding; or even its database of clients / customers. Having a solid understanding of what IP is material will help to inform the next steps you should take.

Understand who owns key IP

The IP that a business purports to own will come under scrutiny during due diligence and so it will be important to be able to show a chain of title from the person who developed the IP to the portfolio company. This should be straightforward where IP has been developed by employees (since it will automatically vest in the employing entity) but is more complicated where third parties have been involved in the development process. If IP that the business owns has been developed by a third party on behalf of the business, make sure you have a chain of assignments transferring ownership to the portfolio company.

In respect of third-party IP used by the business, ensure that there are agreements in place with the owner/licensor and such agreements clearly set out the grounds on which the portfolio can use the IPR. If the third party IPR is fundamental to the business, any buyer will carefully review these licences to ensure the business has adequate rights for its intended future use of the IP.

Of equal importance, is to ensure that the business is actually operating within the scope of the licences granted. If it is not, this may amount to IP infringement.

Understanding the grounds on which the portfolio has a right to use the key IP is the first step to spotting any issues.

Review agreements granting rights over key IP

Where the business allows third parties to use its key IP, the business should ensure that it retains ownership in its IP and that any such licenses are not so broad as to dilute the value in that IP. Where the company creates IP for third parties it also needs to ensure that a clear line is drawn between IP that is retained (for future use by the business) and IP that is assigned to the third party. Where the IP is a material asset, if this is not sufficiently clear it could lead to the buyer seeking additional warranty protection or potentially attempting to price chip.

It is equally important to identify where there are no agreements in place governing the use of IP. This should be addressed as a matter of priority as it created uncertainty over the rights and obligations of the portfolio company.

Make sure key IP capable of registration is adequately protected

IP registrations (where appropriate) will provide the buyer with comfort that the business has an exclusive right to use the IP and can prevent third parties from doing so. Whilst unregistered rights afford some protection, registered rights are much easier to enforce and are therefore valued by a buyer.

The portfolio should consider whether its IP is appropriately protected where it is capable of registration.

Data protection points to consider

In terms of data protection, the business needs to consider whether it is complying with its obligations under the UK GDPR (and any other applicable legislation). Given the levels of fines that can issued for any failure to comply, this is an area of focus for many buyers, in particular if the processing of personal data is fundamental to the portfolio's activities:

Conduct a data protection audit.

The simplest way to identify any deficiencies in a business' data protection compliance framework is simply to look at what it has in place, compare that against what it is expected to have under the legislation, and identify the gaps. The level of audit will depend on how sophisticated the portfolio's data processing activities are, how fundamental they are to business operations and how "high risk" the data handled by the business is.

If the business handles a lot of personal data and appoints third parties to process this on its behalf, the contracts in place with those third parties should be looked at as part of this process to identify any issues.

A portfolio company can go a long way to rectifying any issues prior to a sale process resulting in a more efficient transaction.

Review the policies and procedures that are in place.

A lot of businesses will have made attempts to comply with the "EU GDPR" when it first came into force in 2018, but will have done nothing since then; in which case what is in place may no longer be suitable or relevant. The business will need to consider its internal policies and procedures such as its data protection policy and employee privacy policy, as well as its an external-facing website privacy policy and cookie policy, and ensure they are fit for purpose.

A lot can change in a business over the course of a number of years and there is an expectation that policies and processes should be updated regularly to reflect the realities of the business' activities from a data privacy perspective. Be careful of falling into the trap of seeing a document exists and assuming that it is adequate.

It's important to review these policies and procedures (ideally with the help of a data protection expert) in order to assess whether or not they need to be updated.

Security of data and cyber resilience

This is becoming an area of increased focus for buyers who are keen to ensure that a portfolio company has assessed relevant cyber risks (including but not limited to the risk to personal data) and has taken steps to mitigate such risks. The portfolio should ensure that it can demonstrate that it takes cyber resilience seriously and has put in place appropriate safeguards to protect against any system breaches.

We anticipate that cyber security will, in the coming 12 months, come under further scrutiny as part of due diligence as a result of the Cyber Security and Resilience Bill which is likely to come into force in the UK. Note, however, that in certain sectors e.g. financial services stringent obligations already exist.

The final step – fill the gaps

Where you spot issues during the process of getting "exit ready", you should promptly address them. In practice some issues may only be nominal, but some can result in significant delays in the due diligence process and even, in serious cases, lead to deals collapsing entirely.

Addressing any issues as part of getting "exit ready" could also result in unexpected windfalls, not least unlocking unrealised value in your business and plugging any gaps in your contractual documentation.