Data protection & privacy considerations for mergers & acquisitions

Planning to acquire another company? Make sure follow the rules for data protection

As a smart business owner, you know how important it is to keep your personal data protected. Therefore shouldn’t data protection and privacy be of an equal (or even bigger) concern when you are acquiring another business?

data protection privacy

Given the user-centric economic landscape of today, user data has undoubtedly become the most valuable asset for growing businesses. This is why it’s crucial to pay a little more attention to data protection and privacy when stakes are high, such as during a merger or acquisition transaction.

Keeping this in mind, we share in this article some of the most important data protection considerations for aspiring business owners who are planning to acquire another company. But first, let’s understand why data protection and privacy is a growing concern for new mergers and acquisitions.

Why data protection is a growing concern for new mergers and acquisitions

According to the latest research, a staggering 40% of newly acquired businesses end up revealing one or more cyber security issues during the integration phase after their acquisition. This figure isn’t as surprising if you knew that most acquiring companies have a low rate of data protection compliance, sometimes as low as 5%.

Now, let’s have a look at a few noteworthy data protection considerations for M&A due diligence process, and the reasoning behind them.

4 data protection considerations for the due diligence process

  1. Is every potential liability for data protection and privacy taken into account by both parties?
  2. Are all the important data protection provisions being duly included in the transaction process?
  3. Does the seller have full rights to transfer all business data, as it is, to the new owner?
  4. Will the new owner acquire the right to process the data, as per their requirements, after the purchase?

1. Potential liabilities for data protection compliance

To be able to correctly determine the level of data protection compliance that the seller is willing to adhere to, up until the transfer of ownership, a comprehensive audit is necessary. The audit should take into account:

  • History of data breaches (if any)
  • Data sharing and handling procedures
  • Data Protection Impact Assessments (DPIAs)
  • Records of Processing Activities (RoPA)
  • Legitimate Interest Assessments (LIAs)
  • Cataloguing and mapping of data
  • Any outstanding responses to investigations/access requests/potential claims related to data protection and privacy
  • Consent records
  • Privacy and consent notices

2. Including data protection provisions in the transaction process

Both the seller and buyer need to ensure that:

  • All the necessary data protection clauses have been rightfully included in the NDAs (non-disclosure agreements) and the sale and purchase agreements
  • The set up of the data room is skillfully handled and access restrictions have been placed
  • Privacy policies have been updated to allow the sharing of data until the due diligence is completed
  • The data-sharing agreements and the Records of Processing Activities (RoPA) have also been updated accordingly
  • There’s a high level of data security maintained throughout the acquisition process

3. Seller’s right to transfer business data to the buyer

The GDPR places restrictions on the transfer of data ownership, which is why it’s good to keep in mind that the seller is not allowed to transfer the data ownership onto the buyer when:

  • There’s no clause for change of ownership or transfer of control in the data-sharing agreements (to be used by third-party data processors)
  • The sale of the business, change of ownership, or transfer of consent originally shared by the data subjects isn’t allowed as per the privacy policies
  • The privacy policies are not applicable anymore

4. New owner’s right to process the business data after the purchase

The GDPR places limits on which parties are allowed to process the data. This is why buyers need to ensure that there’s no restriction that will stop them from processing the data, and should consider the following points before using the data that has been acquired from the purchase:

  • Has the purpose of data processing remained unchanged? If not, is there a valid lawful basis for data processing?
  • On what basis was the consent originally requested of the data subjects?
  • Is the consent renewable or transferable?
  • Where will the data be stored and processed? In case the location is outside the EU, is an appropriate lawful transfer mechanism been devised?
  • Have data-sharing agreements (involving the data processors) been set up, if necessary?

How to get the best value as a buyer

Most businesses today rely on data and insights for their operations, especially those in the Artificial Intelligence (AI), eCommerce, FinTech, AdTech, Internet of Things (IoT), and Life Sciences verticals. Since such businesses deal with huge volumes of data and the monitoring of data processing becomes a lot more complex in such cases, they often have a low level of compliance when it comes to data protection guidelines.

This is why buyers should pay close attention to the data protection and privacy aspect, if they want to get the best value out of the transaction. That’s exactly how Verizon acquired Yahoo for a discounted price.

By performing a thorough audit during the due diligence process and understanding the various nuances associated with data protection and privacy, you won’t just be in a better position to negotiate the best price, but also be able to protect your best interests as a buyer.