M&A and Privacy: When Privacy invites itself to the negotiation table
DataGrail was at P.S.R. in Las Vegas hosted by The IAPP. Justine Vilain, our Senior Customer Success and Implementation Manager had the opportunity to attend the session “Closing the Deal: Privacy Risks in M&A Transactions” led by Sheila Jambekar, Kalinda Raina and Mark Webber. She shares her top takeaways and observations.
It isn’t news anymore that the ongoing privacy climate has impacts beyond the borders of any company’s legal and privacy department. Across the country, companies are doubling their efforts to prepare to comply with existing and forthcoming privacy regulations. To date only California and Nevada have adopted proper privacy regulations, but ten other states are working on their privacy framework. Sooner or later all businesses will fall in the scope of at least one national or international privacy regulation.
Legal, privacy and security teams have started involving their IT, sales and marketing teams to ensure privacy compliance across the board. However, only recently have privacy concerns become part of due diligence process.Here are the highlights and main takeaways from this new function for privacy officers and legal departments:
1. The value and quality of the target company’s data has the potential to be a major privacy concern.
A thorough review of the target’s company data helps assess the value of the deal and avoid post-deal sanctions and fines. Mergers such as Marriott/Starwood and Yahoo/Verizon are striking examples of the financial impact of data breaches and data privacy on a merger. The team in charge of the privacy compliance program will need to answer some key questions:
- Is the personal data the target company holds central to the buying decision? The target company’s main asset might well be the data they process. Therefore it will be essential to assess the quality of the data and ensure that the target data can be processed by the acquiring company on completion of the merger.
- What is the geographical consequence of the acquisition? Acquiring a company processing data in new territories will mean having to comply with additional and perhaps previously unknown, data privacy laws. The privacy team will want to prepare for that new scope.
- What has the target company done for their privacy compliance program so far? Was the data collected and processed in compliance with applicable data privacy laws? It’ll be important to have access to data mapping exercises and any documentation available on their program.
- Is the acquisition going to change the acquirer’s business model from a privacy standpoint? The company who is currently a controller might become a processor after the acquisition.
Once the deal is closed and the companies effectively merged, the privacy and legal teams’ involvement cannot be discontinued. The stakeholders present at the valuation stage should have a seat at the integration table. Their oversight is needed for the ‘post-due diligence to-do list’:
- The privacy team needs to ensure that the data is integrated as planned during the due diligence phase.
- If both companies’ data are kept separate with two privacy compliance program and policies, the consequences need to be assessed.
3. The necessity of an effective data inventory
Assessing the target’s data and its value can get challenging and is likely to delay the due diligence process. Companies relying on spreadsheets and manual work face the risk of gathering outdated information and spending expensive human resources on this exercise. Given the fluctuation of systems holding personal data in an organization, only a live and constantly up-to-date data map can ensure a precise and complete inventory of any personal data contained in those systems at all times. Target and acquiring companies need to rely on automated solutions to ensure the accuracy of the data valuation prior to finalizing the deal and its fair price.