Data risk: Are you acquiring an asset? Or a liability?

Alvarez & Marsal’s Matthew Negus outlines the key data and privacy risks firms face when acquiring target companies, and what they can do to mitigate them.

Global merger and acquisition activity smashed all-time records in 2021 with the global value of deals exceeding $5 trillion. Technology remained a key sector, as global economies kicked on from the pandemic-induced slowdown of 2020. The fact that technology enjoyed the largest share of the M&A market in 2021 didn’t come as a total surprise, as organizations that invested further in digital initiatives, data strategies and online activities saw a surge in demand during the pandemic providing a means for people, governments, and business to engage and maintain their operations.

Data and technology have become increasingly important factors in M&A deals, as new technologies proliferate and organizations come under pressure to use their data to gain a competitive edge. But acquirers can face serious issues if they fail to do their homework properly by incorporating privacy and data protection risk into their due diligence procedures.

Matt Negus

The UK and EU General Data Protection Regulations, or GDPR, provide data protection supervisory authorities with powers to impose fines of up to 4 percent of annual global revenue for serious breaches and compliance failures. Beyond this, the potential commercialization opportunities for data and analytics, and whole business propositions, can be seriously affected if material legacy and compliance risks are uncovered.

There have been well-publicized cases of acquiring organizations being on the receiving end of regulatory enforcement action and consumer litigation because of historic incidents and breaches coming to light long after the closing of the deal.

Below we consider the most common risks and threats from a privacy and data protection perspective: and the mitigating measures firms can take to offset these risks.

Most common risks and threats

  • Pre-transaction due diligence work does not include an adequate assessment of the risks of regulatory enforcement and litigation associated with privacy and data compliance.
  • Applicability of privacy and data compliance laws and regulations is focused on the jurisdiction of the headquarters and does not take account of the international footprint and the extent of cross-border services provided including the impact of local market regulations.
  • Valuations of data assets and digital strategies insufficiently considers the impact of privacy laws including monetization of user analytics and the commercial ability to use and sell data for marketing and consumer profiling.
  • Post-transaction delays or regulatory restrictions occur where privacy and data compliance are not factored adequately into new corporate structures, resourcing levels, business strategy, technology and business process integration and overall data governance.

Risk management focus areas

Regulatory filings, policies, privacy notices:

Organizations should first focus on the more visible or obvious data compliance and privacy risk management areas including existing policies, procedures, training materials, authorizations or notifications lodged with supervisory authorities. This includes public-facing privacy notices used at key data collection points such as websites and mobile apps. This information should either be disclosed in the data room by the other party to the transaction or, in some cases, may be available through existing online resources.

Management information/Key risk indicators:

Existing metrics and logs maintained by the other party, including historic incidents, breaches, complaints, litigation, regulatory investigations, previous audit findings and individual rights requests, should be scrutinized. The nature and volume of such matters may provide essential details about historic compliance challenges and highlight weaknesses in key resourcing, systems, vendors and processes. This information should be requested as part of the due diligence of data room materials.

Governance structure:

Understand the overall maturity of privacy compliance and risk awareness, including determining whether responsibility for privacy and data compliance matters has been designated to specific individuals within the organization – typically within legal, technology or compliance functions – and if the resourcing levels appear to be commensurate with the size and activities of the target. Inadequate attention in this area is likely to require management investment to address potential resourcing gaps and governance arrangements. Typically, this information may not be available in the data room and would need to be obtained through discussions with target stakeholders.

Cross-border data transfers:

Identify cross-border personal data transfers on an intra-company basis (such as critical operational systems) and amongst third party vendors and service providers to establish whether appropriate compliance mechanisms are in place, such as contractual safeguards, as well as if high-risk data transfers are occurring, such as those outside of the European Economic Area or involving jurisdictions subject to outsourcing restrictions or professional secrecy obligations. Such information will likely need to be obtained through the legal function of the target organization.

Supply chain and vendor relationships:

The nature of third-party supplier and vendor relationships is a key risk area and particular focus should be placed on the materiality of services provided, whether such services are subject to any form of regulation, the sensitivity of the services and the underlying personal data handled. While it is unlikely to be possible to review all existing contracts held by the target, critical/material service providers should be prioritized, including risk assessments, service performance, reported incidents and record-keeping. Acquiring organizations should stipulate that material outsourcing contracts be made available by the target in the data room.

Data usage, legacy datasets and retention:

A crucial, but time-consuming, aspect of the due diligence process is the extent of personal data usage throughout the target organization, including the nature and volume of personal data, any categories of sensitive personal data, the identification of core and legacy/retired systems containing personal data and retention practices for electronic and physical data. These are challenging areas for many organizations, and it can be difficult to undertake an in-depth review as part of the due diligence phase. But this is an area where historic issues tend to come to light that can expose organizations to regulatory investigations, limit the extent datasets can be utilized for marketing and other commercial endeavors and ultimately lead to costly remediation work. Increasingly, products and services will directly or indirectly capture personal data, monitor performance and provide crucial analytics around the customer experience and opportunities for product improvement and targeted marketing and sales. However, privacy failings can often mean that something positioned as a valuable asset is in fact a potential liability. Acquiring organizations should therefore seek to obtain targeted meetings with the chief information/technology officer during the due diligence phase.

The above highlights the growing importance of making privacy and data risk a core component of due diligence activities in M&A deals. Organizations can ill afford to disregard the crucial role that personal data risk assessments play in corporate transactions and the associated regulatory, technology and commercial implications involved.

Matthew Negus is senior director, Privacy & Data Compliance Services, at Alvarez & Marsal in London.