Data privacy and M&A: What sellers need to know
As the GDPR, CCPA, and other data privacy laws have changed the way businesses approach personal data — and as high-profile scandals have raised awareness among consumers and shareholders — this fundamental shift has also impacted mergers and acquisitions.
In an effort to avoid regulatory penalties and reputation damage in the post-merger organization (and/or high costs required for remediation), acquiring companies are incorporating data privacy reviews as part of their due diligence processes, and the outcomes of those reviews can make or break a deal. In a recent study by Merrill Corporation among M&A professionals, 55 percent of the respondents cited the target company’s data privacy practices as the primary reason for a transaction to fail.
If your organization is looking to be acquired, assume that acquiring companies — regardless of which data privacy laws apply to them — will consider your data privacy practices in determining your business’ intrinsic value (or in deciding whether to make an offer at all). By taking steps to document how and why your company captures and processes personal data, and by understanding who has access to that data inside and outside of your company, you can anticipate acquirers’ concerns and make your business a more attractive target.
The first step in understanding your organization’s personal data ecosystem is knowing what personal data you have — and whose data you have.
Most organizations understand the importance of protecting customer data; however, the definition of data subject under current data privacy laws, including GDPR and CCPA, includes not only customers, but also prospects and other marketing contacts, employees, partners, board members, vendors, and (under CCPA) households. And the definition of personal data goes far beyond traditional notions of “personally identifiable information (PII)” to include online behaviors, dynamic IP addresses, genetic and biometric data, and other details not covered under previous regulations. Under CCPA, personal data also includes inferences used to create profiles, which brings your algorithms into the equation.
It’s equally important to know where that personal data comes from — whether you collect it directly from data subjects (such as via website forms), observe it through tracking, purchase it from a third party, or obtain it from some other source. Review each source to ensure that the data you gather is being collected in an ethical manner, with the appropriate consents and/or documented business purposes in place.
Your data architecture and processes
Once you know what data you have, you need to understand who has access to it and what those users do with it. And if data subjects request access to or erasure of their data, you need an architecture that will enable you to accommodate their requests in a timely manner.
When we work with clients on GDPR or CCPA readiness, we build system diagrams, data flow diagrams, and data maps as part of our process for creating a record of processing activities (ROPA). Once we have a high-level view of where personal data is located and where it goes, we can work with our client to address important data privacy issues such as identity access management and whether duplicate data might confuse the question of which records are current and accurate — thereby reducing the business value of the data.
Your policies and procedures
In many respects, this is one of the easier areas to address, as it involves documented information. Acquiring companies will want to review not only your privacy and security policies, but also your processes for accommodating data subject rights (such as the right to erasure), for training the appropriate personnel in data privacy procedures, following a governance program, and for reinforcing learning via gamification or other methods.
Data privacy is the new normal, and not just from a strictly regulatory standpoint — it’s a vital factor in building trust among customers, shareholders, business partners, and, for companies looking to sell, potential acquirers. Acquiring companies, regardless of which regulations apply to them, want to ensure that their potential targets handle personal data in an ethical manner consistent with privacy regulations, and that they implement best practices in sound data management. By understanding how your organization uses personal data and abides by the principles of data privacy and data ethics, you can speak to acquirers’ concerns and increase your chances of a favorable deal.
Need help with data privacy compliance?
See how Logic20/20 can help.
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Follow Jill on LinkedIn