Expert Opinion

Data protection and due diligence: What acquiring companies need to know

Photo Credit: Pixabay

As a business owner, you try to keep your personal data protected at all times. But shouldn’t you be equally (or even more) serious about data protection when you are involved in a merger or acquisition transaction?

In today’s user-centric economy, data has become one of the most valuable assets a company can capitalise on. This is why, when stakes are high, it really pays to give a little bit of extra attention to data protection, such as during mergers and acquisitions. If you are an aspiring business owner planning to acquire a company, here are some of the most important data protection and privacy considerations to keep in mind during the due diligence process and beyond.

4 Important Data Protection Considerations For Due Diligence

  1. Is it within the seller’s rights to transfer data to the new owner?
  2. Would the new owner have the right to process the data acquired after the sale?
  3. Are all the potential liabilities for data protection understood by both parties?
  4. Does the transaction process accommodate the important data protection considerations?

Let’s understand the logic behind these considerations, one by one, to reveal the main points of concern.

The seller’s rights to transfer data to the new owner

The GDPR restricts the transfer of ownership of data and limits which parties can process the data lawfully. The following are some of the circumstances in which sellers are not allowed to lawfully transfer the data onto the purchaser:

  • The privacy policies don’t allow for a change of ownership, sale of the business, or transfer of consent shared by data subjects
  • The privacy policies are no longer applicable
  • The data-sharing agreements (used for third party data processors) don’t allow for a change of ownership or transfer of control

New owner’s right to process the data acquired after the sale

Buyers should make sure whether or not they have the right to process the data without restrictions, and consider the following before using any of the data that has been acquired:

  • Will the data be used for the same purpose as before? If not, is there an appropriate lawful basis for processing it?
  • What was the basis of consent originally shared by the data subjects?
  • Is the consent transferable or renewable?
  • What will be the new location for data storage and processing? If it’s outside the EU, then it’s necessary to use a lawful transfer mechanism, as deemed appropriate.
  • Has the new owner set up appropriate data-sharing agreements with the data processors, if necessary?

Potential liabilities for data protection

In order to have a clear idea of the seller’s level of data protection compliance up until the transfer of ownership, it’s necessary to perform a thorough audit focusing on:

  • Cataloguing and mapping of data
  • Records of Processing Activities (RoPA)
  • Data Protection Impact Assessments (DPIAs)
  • Legitimate Interest Assessments (LIAs)
  • Privacy and consent notices
  • Consent records
  • Data sharing and handling
  • History of data breaches (if any)
  • Outstanding responses to potential claims/investigations/access requests with respect to data protection

Making Data Protection Provisions a Part of the Transaction Process

It’s important to ensure that sufficient attention is paid to:

  • the level of data security throughout the acquisition process
  • data protection clauses included in the non-disclosure agreements
  • the set up of the data room and access restrictions
  • privacy policies that allow the sharing of data for the due diligence to complete
  • data protection provisions included in the sale and purchase agreements
  • the data-sharing agreements
  • the Records of Processing Activities (RoPA)

What Makes Data Protection a Serious Consideration for Mergers and Acquisitions

Research shows that a surprising 40 percent of acquiring companies end up discovering one or more cybersecurity issues after the acquisition, during the integration phase. If this number wasn’t shocking enough, most companies have a low rate of compliance when it comes to following data protection and privacy guidelines, sometimes as low as 5%, including those that leverage the most value from data and insights, such as AI, FinTech, AdTech, Internet of Things (IoT), eCommerce, Artificial Intelligence (AI) and Life Sciences.

Often, the reason for this low level of compliance is a high level of technical complexity involved in data processing, in addition to huge volumes of data. However, considering the eye-watering high valuations that are common these days, in addition to the potential risks and liabilities, it’s worth paying close attention to the data protection and privacy aspect of the transaction to realise the best value out of an M&A transaction. This is what Verizon did after learning about Yahoo’s history of cybersecurity incidents, eventually acquiring them for a discounted price.

Conclusiontod

By understanding the various nuances of data protection and performing a comprehensive audit during due diligence, you can not only get the best value out of an M&A transaction, but also protect your best interests.

Spread the good news!