In 2017, we published an Insight on GDPR-related issues for acquiring companies to consider as part of their M&A due diligence process. Nearly two years later, not only is GDPR in force, but California has passed its own data privacy legislation, CCPA. More state laws are on the way, and the likelihood of a U.S. federal data privacy law grows with every passing week. All of these regulations make sound information practices mandatory.
In this complex regulatory landscape, an acquirer faces steep challenges in evaluating potential targets’ risk levels regarding data privacy and protection. On one hand, a target’s data can be a valuable asset that increases the company’s potential worth to the acquirer. On the other hand, in an environment where protecting data privacy is the new normal, irresponsible practices and poorly managed data architectures can be a huge liability. In a recent survey by Merrill Corporation among M&A professionals, 55 percent of respondents cited a target company’s compliance and data protection practices as a primary reason a deal failed to complete.
While individual data privacy laws may differ on details, several common themes have emerged, which facilitates the task of evaluating potential M&A targets. When considering a merger or acquisition, make sure that your due diligence process encompasses the following key areas:
1. Applicability of Data Privacy Laws
Make sure you understand which data privacy laws affect the target company and how they apply. For example, the GDPR requirement to designate a data protection officer (DPO) applies to organizations that are public companies, that process personal data on a large scale, and/or that process special categories of personal data. Whether this requirement applies to a potential target depends on the specifics of the company.
Another important consideration is whether the target has the flexibility to align with future data privacy laws. When GDPR was passed, some companies handled compliance by segregating their European data subjects and implementing data privacy measures only for those individuals. When CCPA came along, many of those companies had to start over in protecting a new population of data subjects. Companies who see the big picture follow a “data privacy by design and default” approach that not only satisfies current requirements, but also makes it easy for them to adapt in a rapidly changing data privacy environment.
2. Data Policies and Procedures
Evaluating a target’s policies and procedures may be one of the easier facets of data privacy due diligence, in that these areas usually involve documented information. When reviewing procedures, make sure the target has documented processes for accommodating data subject rights under applicable laws, such as the right to access and the right to erasure of one’s personal data, and that all appropriate personnel have been trained in these procedures.
3. Data Systems, Architecture, and Flow
It’s one thing to write data privacy procedures, but having a data architecture that allows you to execute is often another matter. Does the target company know what data they have, where it’s located, who has access to it, and what they do with it … and if a data subject requests access to or erasure of her data, can they fulfill her request promptly? Additional considerations include
- Whether the target has “black box” data stores that may go unreviewed for years at a time
- How they document consent/refusal to allow processing of personal data and how consent tracking is used to ensure the data subject’s request is honored
- Data proliferation lifecycles, both within and outside of the company
4. Data Governance
The business world is always changing, and so is the data privacy environment. Even if the target company may have been considered “compliant” when the applicable laws first took effect, lack of adequate governance can cause even the most diligent efforts to become moot over time. Ask about their data governance practices and how they monitor for “triggers” that can impact their compliance status.
We’ve covered just a few of the areas to consider in evaluating the data privacy risks of a potential target as part of your M&A due diligence. There are many others (e.g., security measures, third-party contracts, etc.) and the more you discover about your target, the more accurate your picture of their data privacy risk level.
While some may have seen GDPR as a finish line, we now understand that it was a milestone, the first in a wave of data privacy laws that will eventually impact almost every organization. In approaching mergers and acquisitions, taking a target’s data privacy practices into consideration is no longer optional — both for compliance purposes and for the integrity of the post-merger organization and the trust that customers and partners are willing to place in it. By incorporating data privacy considerations — particularly those concerning data management — as part of your M&A due diligence, you can paint a more accurate picture of the target company and improve your chances for a successful deal.
Connect with the authors:
We're Here to Help
Questions about how to incorporate data privacy into your M&A due diligence processes? Get the answers you need in a complimentary 15-minute call with one of our data privacy experts: