Addressing Privacy and Regulatory Issues During M&A Process Before Integrating Company Systems


In recent years, the adoption of the General Data Protection Regulation (GDPR) in the European Union (EU), the passing of the California Consumer Privacy Act (CCPA), and several other state-level regulations in the legislatures across the United States have brought privacy regulation into the spotlight. These regulations have come with additional reputational and regulatory risk (e.g., fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity.

Due in large part to public and damaging privacy scandals such as Cambridge-Analytica’s misuse of social networking site Facebook’s profile data or the breach of credit reporting agency Equifax consumer information, the public is asking more than ever where and how their personal information is being used.

When evaluating potential acquisition or merger of target organizations, it is important to scrutinize the risks and benefits of large data sets that contain personal or sensitive information.

While privacy policies will not stop a breach from happening, looking at applicable controls an organization has in place during the due diligence process will serve to make the integration of systems more efficient, highlight any trouble spots where response to regulatory frameworks and requirements do not align, and identify missing controls before integrating disparate systems.

What is the geographic scope of the target organization? How does this change the regulatory landscape?

Based on the physical location of the organization and types of data they collect, process, transmit, and store, an acquisition target may be simultaneously subjected to multiple state, federal, international, and industry-specific privacy and compliance standards and laws. As more states and countries consider passing legislation, the complexity of the privacy regulatory landscape continues to shift. If there is a privacy program, this requires organizations to swiftly react and comply to newly scoped legislation with varying degrees of change and impact.

When assessing a target organization, it is paramount to confirm that the cybersecurity program and controls consider the full geographic scope. Likewise, review your own compliance function to ensure that your organization is ready to handle the added complexity that the acquired company will bring.

What did the target organization’s privacy policy state during the collection of personal data?

The U.S. Federal Trade Commission (FTC) has published clear guidance communicating that regardless of a merger or acquisition, organizations must continue to honor the promises made to consumers in privacy policies. The FTC considers failure to comply with published privacy policies a violation of Section 5 of the FTC Act, which bars unfair or deceptive acts in commerce.

When assessing a target organization, it is essential to confirm any disclosure or new uses of personal data will follow promises made about the treatment of personal data in the target company’s privacy policy. Any new uses of acquired data must be consistent with the purposes of processing described to consumers when personal data was initially collected, and until it can verify uses are consistent (such as providing a similar product or service), isolate the data you know you have been collecting legitimately from the newly acquired data.

Before the integration of data and systems, determine what consumer-facing actions, if any, must be taken to ensure the data can be shared and used. Actions may include providing notification to consumers of their right to opt-out of having their personal data shared, obtaining opt-in consent from consumers to share their personal data, or any other actions that allow you to demonstrate to regulators the privacy policy provided at the time of collection was sufficient notice for the future sharing of personal data, and your uses are consistent with the purposes of processing described at the time of collection.

Does the organization share personal data or other protected information with third parties? Do they have an adequate process to implement security and privacy safeguards over that data transfer?

As with related IT and cybersecurity risks, the greater number of third parties involved in the use of personal or other sensitive data, the more complex compliance with privacy regulations becomes. Some legislative bodies, such as the European Commission and state of California, have provided specific instructions and definitions around who qualifies as a third party and what requirements need to be in place to meet the letter of the law. Protecting in-scope data necessitates a comprehensive and mature process, inclusive of legal, compliance, IT/ cybersecurity, and privacy teams. During due diligence, ensure that the data protection policies and procedures in place are adequate. Otherwise, you may find your organization inheriting significant risk. Moreover, if the acquisition target does not have a robust data protection program in place, ensure that the integration plan includes strengthening this function.

Does the target organization have a process for identifying, classifying, and protecting data based on sensitivity or regulatory requirements?

Many organizations struggle after a breach because they do not have existing analysis and robust data mapping capabilities in place to proactively identify data in use or storage. Additionally, data is collected at such a rapid pace and volume that keeping track of what the organization currently possesses is an ongoing challenge. With potentially dozens of “data owners” and disconnected systems, it is difficult to identify what has been collected, where it is stored, how it is being used or processed, and if proper notice has been provided to customers.

During due diligence, review the data classification process and confirm that the organization has a good understanding of what it uses and stores on behalf of customers. Organizations should maintain robust data governance plans, data architectures, and detailed data flows and maps that can demonstrate where sensitive elements exist in the environment, and who is responsible for its maintenance.

As unique data protection regulations become more common and increase the number of requirements to protect sensitive elements, organizations must consider the amount they store and what is shared with third parties, which is critically important during any merger or acquisition. Privacy and data governance capabilities should be an area of focused attention when conducting due diligence on a potential target organization and throughout the integration process.

To learn more, click the image below to view our guidebook “Avoiding Cybersecurity Risk Through Enhanced Due Diligence”

New call-to-action

Considerations for Warrants Issued by SPACs
Addressing Supply Chain Risks During the M&A Due Diligence Process
Related Posts
California Privacy Rights Act: An Actionable Primer
California Privacy Rights Act: An Actionable Primer
Planning Isn’t Just for Finance: It Takes a Village to Be Successful
Planning Isn’t Just for Finance: It Takes a Village to Be Successful
The Journey to Future-Ready Finance, Demystified
The Journey to Future-Ready Finance, Demystified