Today, growing an organization through Mergers & Acquisitions (M&A) has become a popular business practice. This can lead to great success but it can also cause a potential liability to the acquirer if global data privacy laws and regulations are not considered during the acquisition. Businesses that adopt this strategy need to be aware of how to handle the data involved in the acquisitions.
Between new and evolving data privacy laws, an increased focus on regulators, and increased liability on the acquirer, incorporating data privacy practices is necessary for the M&A transaction process.
2. 2
Speakers
Darren Abernethy
Shareholder,
Ad Tech, Data Privacy & Cybersecurity,
Greenberg Traurig, LLP
abernethyd@gtlaw.com
https://www.linkedin.com/in/djabernethy/
Paul Iagnocco
Customer Enablement Lead and Senior
Privacy Consultant,
TrustArc
piagnocco@trustarc.com
https://www.linkedin.com/in/paul-iagnocco/
3. 3
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
4. 4
Mergers & Acquisitions (M&A) Overview
Pre-Planning M&A Process
M&A Due Diligence Considerations
Agenda
Privacy & Data Security for Start-Ups
M&A Post-Signing Considerations
Foundational Prep – Data Inventory and Mapping
Questions & Answers
5. 5
Privacy and data security considerations,
far from being relevant solely for international data transfer or data breach reasons,
have come to play a central role in today’s mergers and acquisitions (M&A)
landscape — for buyers and sellers alike.
In a Data Economy > Data is a valuable asset.
9. 9
Whether a prospective buyer or target, as a pre-condition to participating
in any merger or commercial transaction,
a company should assess and fully understand its own privacy program,
especially data flows and the types of data collected, information security practices,
partners’ data inputs and outputs and contractual obligations.
10. 10
Pre M&A Planning
Strategy &
Internal Review
Assess and understand internal
privacy program - maturity
Assess data flows, type of data
collected, information security
practices
Consider how your privacy and
data security could impact the
proposed deal
Consider your risk profile and
any data processing partners
Considerations &
Questions
Do you have visibility into the
entire information life cycle?
Are you a mainly a Data Controller
or a Data Processor?
Does your privacy program
have C-Suite Buy-In?
Are there specific regs or
frameworks that are relevant?
At what level of compliance?
Geographical
Considerations
Clarity on established locations;
What are goods/services
offered in each area?
Are there int’l data transfers
happening today?
Are they subject to specific
agreements or regulations?
(e.g., GDPR SCCs)
Will the M&A itself create a
cross-border transfer situation?
What about monitoring or
OBA tracking?
Data localization applicability?
11. 11
Mergers & Acquisitions Due Diligence:
- Virtual Data Room
- Notice & Terms
- Data Privacy and Security
- Vendors & Service Providers
- Employee Data
- Representation & Warranties Insurance Underwriters
- Other Considerations
12. 12
The extent to which data privacy and security are the focus of a M&A
deal will depend on the underlying specifics:
- volume, sensitivity and origins of the data involved industries implicated
- ready and able to demonstrate internal privacy and data governance practices
- honored external privacy promises
- data subject control of their personal data
Evaluation of buyers and sellers is wide-ranging and
uniquely varies with each transaction.
13. 13
M&A Due Diligence
Privacy Notices
and Terms of Use
Obligations attached to any given
personal data at the time of
collection?
Adequate disclosures provided
at time of collection? Compliant
with local regulations?
Current or legacy privacy
promises/conditions that will
NOT be honored?
Legacy policies or related data
subject consents exist that may
need to be amended/refreshed?
Data Security Considerations
Are D/PIAs on file to demonstrate the
company’s precautions before “high
risk” data processing?
If dependent on legitimate basis –
need to demonstrate
“balance test”
Full analysis of infosec programs, in
terms of formal protocols followed,
documented policies, employee
training, internal or external audits.
History of any known or suspected data
incidents, cyberattacks and the
responses taken on all accounts.
Need to demonstrate breach response
plans, disaster recovery and business
continuity plans – have they been
tested?
Are there any past, present
or prospective (known)
legal actions?
Levels of encryption used throughout
the organization and how is this
determined and monitored?
Methods of de-identification or
pseudonymization of data?
14. 14
M&A Due Diligence (continued)
Vendors and Service Providers
Who are the vendors and service
providers of the parties involved?
What are their roles?
What are the relationships
concerning personal data
transfer/usage—contractually
and in day-to-day practice?
Comprehensive vendor management
program in place vetting possible
vendors’ data privacy and security
practices before working with them?
What are their data
retention policies?
Written contract in place - vendor
(data processor) and data owner
(data controller)? Include necessary
support from data processors,
especially related DSAR actions?
Are vendor audits conducted
for contract compliance?
What about SLAs?
Obligation to notify data controller of
security incidents, facilitate subject
access requests, or maintain
“reasonable” technical and
physical safeguards?
Do the parties have proper
documentation for their employee
privacy policies?
How do the parties intend to handle
the transfer of employee data in the
event of a merger?
Employees been informed of their
individual privacy rights and the
means to exercise those rights?
Are there subcontractors? Is approval
required for a vendor to engage
subcontractors?
Does any party have potential issues
from lax HR policies?
Might a new entity need to seek a
legal transfer mechanism?
Employee Data
15. 15
M&A Due Diligence (continued)
Other Considerations
Do the parties have clarity (post
data inventorying and mapping)
the applicable federal, state/provincial
and/or international laws that may be
triggered moving forward?
What will be the scope of various
representations and warranties?
Do any parties have cyber insurance,
data breach insurance, and/or director
& officer insurance policies in place?
Will they need adjustment?
Consider the breadth of any NDAs and
due diligence review logistics (e.g.,
secure data rooms, watermarking,
what to be shared, etc.
What privacy- or data security-related
closing conditions will be required of
the parties?
Have individuals on all sides of
transaction been designated to
oversee the legal and technical
measures that must be in place to
avoid unauthorized disclosures?
What exactly will be included within
the definition of “personal data”?
Bankruptcy
Get your financial house in order.
Providing value of data is important
no matter what.
Be prepared for creditors
16. 16
Privacy & Data Security Considerations for Start-Ups
Build a privacy-centric business culture
• Establish enterprise-wide principles
• Transparency to build customer trust
• Align with Marketing
Build business from day 1 based on “Privacy by Design” principles
• Proactive NOT Reactive
• Privacy as the Default Setting
• Privacy Embedded into Design
• Full Functionality – Positive-Sum, not Zero-Sum
• End-to-End Security – Full Lifecycle Protection
• Visibility and Transparency – Keep it Open
• Respect for User Privacy – Keep it User-Centric
Build a Privacy Program that matures with the Business
• Always screen for the collection of PII
• Complete and maintain data inventories – understand risk
• Align with purchasing or procurement – Is processing of PII being done?
• Always be prepared to demonstrate what has been done
18. 18
Depending on factors ranging from the deal’s size,
to the volume of data and the industries involved,
a transaction’s post-signing can take different paths:
- regulatory reviews
- requests to update or exit voluntary frameworks
- considerations of integration planning among the parties
19. 19
M&A Post-Signing
Post-Signing Considerations
Will a special regulatory review—which
often sees voluminous requests for
internal records—be necessary?
Is there any data, personal or
otherwise, that is determined as not
germane to the merged entity or overly
sensitive/unwanted such that it will be
intentionally excluded from the data
transfers among the parties
(e.g., deleted, returned or aggregated)?
Integration Planning:
• How will the companies’ policies be revised and/or combined?
• How will employee/HR records be integrated?
• Whose infrastructure will be used and whose data will be ported in?
• What new consents must be requested of data subjects for
secondary or materially new purposes?
• How will new vendors be assessed and monitored going forward?
• How will the companies’ information security frameworks be
aligned?
• How will an APEC CBPR- or Privacy Shield affiliated company
integrate an as-yet non-compliant new affiliate into the corporate
family?
• Must any other regulators be notified?
How will the deal’s transactional
documents account for privacy- and
data security-related issues that
arise after the deal is consummated?
How is accountability shared?
21. 21
Data Inventory and Mapping
1. Whether you want to buy or sell your company it is essential that you perform the proper due diligence when it comes to privacy
2. Data Inventory Hub and Mapping can help:
• Identify data flowing into and out of business
• Where are potential areas of risk in the business process
• What instruments of compliance need to be addressed – regulatory reports
• Identify where to access data for customer DSARs
A proper data inventory should tell a “data” story –
data types, processing, sharing, risks, etc. about the overall data life cycle in a business.
24. 24
24
Thank You!
See http://www.trustarc.com/insightseries for the 2022
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.