Mergers and Acquisitions (M&A), are undoubtedly complex transactions that involve extensive and meticulous evaluation of financials, strategic alignment, and operational and legal synergies. However, more recently another critical aspect has been added to the equation that can significantly affect the value and success of a deal: data protection and privacy compliance.
In today's data driven economy, where privacy regulations are rising along with the risk of heavy financial penalties for non-compliance, overlooking data protection during an M&A transaction can expose the parties to unforeseen risks and liabilities. Data protection can therefore be the dark horse that can affect significantly the overall valuation, the due diligence process and integration strategy of the transaction and merging entities.
Data Protection and privacy compliance entails risk management through the control environment and the procedures an organisation has in place to not only meet its legal and regulatory responsibilities but also to minimise its exposure to any security threat that can affect its reputation. From a data privacy perspective, the stronger and more secure an organisation's control environment stands against the complex and ever-changing regulatory environment the higher the value it can attract at the time of an acquisition. On the other hand, the higher the risk associated with data protection, the lower an organisation's value can be during an acquisition. Potential buyers are expected to conduct thorough due diligence on data privacy and the seller's security practices so that any gaps in their control environment or risk of non-compliance with the applicable laws and regulations can lead to reduced offers or even collapse of a deal. Therefore, a strong privacy and data protection program not only mitigates risks but also demonstrates an organisation's commitment to safeguarding personal data, thus enhancing trust and making it a more attractive acquisition target. Effective data protection measures ensure that personal data can be used legally and efficiently preserving its value as an asset in the acquisition.
From a buyer's perspective, a number of different factors need to be evaluated at the time of a potential acquisition to assess the risks and the value of the seller organization:
- One of the primary considerations is to demonstrate understanding of the types of personal data the seller organisation is processing (this will also depend upon the sector in which the target organisation is operating) and the legality of the collection practices;
- The target organisation's data flows and sources from where personal data come, (e.g. EU or third-country territories that can affect the compliance requirements with the processing of such data);
- The systems and IT infrastructure of the target organisation and the extent to which such systems are backed with updated data privacy impact assessments that indicate known and mitigated risks;
- The buyer also needs to assess and understand the third-party relationships of the target company (third party vendors) that process personal data and the associated liabilities of those relationships;
- Data retention and disposal practices are also very important to consider, as a buyer might end up acquiring a portfolio of legacy personal data with a high risk of security;
- The existence of data breach incidents and the effectiveness of the controls in place to handle data breach incidents is another crucial factor.
On the other side of the transaction, the seller/target organisation needs to be in a position to demonstrate that there are appropriate controls and procedures in place to facilitate compliance with the applicable legislation (across all the regions where it operates). Strong data governance and risk mitigation are important components so that a seller can showcase a risk-averse culture that can strengthen its position during the negotiations. It is therefore essential to foster trust and transparency. This can be achieved through comprehensive privacy audits and assessments prior to entering into negotiations that can clearly indicate where gaps and risks exist, providing the buyer with a clear picture of the privacy and data protection compliance stance of the seller. Additionally, the seller should work with the buyer to align data usage plans and prepare for a seamless post transaction integration.
Especially over the last decade, where privacy awareness is rising and data protection laws are being enacted in many countries around the world, the data protection implications can be crucial during a corporate transaction. The purchase price of the acquisition of Yahoo by Verizon in 2016 was reduced by the sellers as a result of data breaches that were identified prior to the completion of the acquisition by $350 million USD (Wall Street Journal, Why Verizon Decided to Stick With Yahoo Deal After Big Data Breaches (July 2017)). Another characteristic example is the imposition of a monetary fine of £18,4 million to Marriott Inc. after the acquisition of Starwood Hotels by the UK ICO in relation to a data breach that predated the acquisition. Marriott, as a result, was found in breach of processing personal data in a manner that did not ensure appropriate security of the personal data, which was a result of the limited due diligence conducted on Starwood's data processing systems and databases as part of the acquisition process (UK ICO, Case ref: COM0804337 (October 2020))
As the digital economy continues to evolve, data protection regulations and the ability to navigate these compliance requirements can significantly influence the success and valuation of M&A transactions. Effective data protection due diligence throughout the M&A transaction becomes a necessity to assess data protection risks and ensure that compliance measures are not just in place but are also actively enforced. Failure to do so can result in severe financial penalties, reputational damage, and potential deal failures. Therefore, integrating comprehensive data protection strategies into the M&A process is not merely a regulatory requirement but a strategic imperative that can drive value creation and secure the long-term success of the transaction.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.