Over the past decade, attention to data privacy and cybersecurity due diligence in merger and acquisition (M&A) transactions has drastically increased. Gone are the days of assuming that privacy and cybersecurity regulations impact only companies operating within the technology and also innovation sectors. Today, any company collects personal information. Even minimal information like name, username, age, and password, or even just device identifiers—about its customers, clients, employees, and business representatives. And users may be subject to data privacy and security regulations in the U.S. and around the world. A seller’s compliance with applicable data privacy and security regulations can be pivotal and at times a deal breaker for certain M&A transactions. Especially when the personal information of the seller is one of the main assets of a potential buyer. 

A privacy approach 

What if the M&A deal itself also had all such privacy concerns built into its topology? In this paradigm, companies are with full legal oversight that marries privacy and security exposure with the systems in place once the deal goes through. In this case, people, processes, and technology not only comply with privacy regulations. But also help derive further capabilities for the merged corporation. To build this paradigm, any M&A deal must include the following four critical stages. 

Companies need to thoroughly understand privacy exposure during the screening process. If a business is noncompliant, the risk of privacy exposure must into the deal’s value. Any discount resulting from that risk will depend on the potential revenue earned from customer data post-merger. Data analysis can help determine those calculations. Also, the acquiring firm would have to spend an undetermined amount to bring the merged entity into compliance with existing regulations. To help in this sort of screening. A compliance maturity measure can compare the M&A cost target with the cost of acquisition. If compliance maturity is low, the acquiring company might want to forgo the deal. 

Data privacy due diligence should with a data room in place. Along with the basic risk audit, companies should carry out a vulnerability mapping exercise (think penetration tests and vulnerability assessments). These put both companies in the same “data room” to discuss what internal data is at each firm, and why it is. And how the combined data footprint will look post-merger. It also means working out what to do with personally identifiable information (PII) and creating a confidentiality agreement that covers the unknown reputational risks. A data room ensures that regulators are happy with the deal post-merger and potentially heads off fines. The data room also ensures that pre-merger firms do not disclose sensitive customer and competitive information. Care must set up the data room so that: 

It is “clean,” i.e., tightly controlled, with consent required before the sharing of customer data.  No data downloads or extractions take place.  Data is to avoid sharing information about real people. 

The deal structure needs to include data privacy. Companies should map out what data is how it is, and what regulations if any, the processing of this data must meet. In any agreement, if consent and data transfer agreements aren’t compliant with global regulations. The sale of data between the firms will be null and void post-merger. Further, both firms must ensure that customers are aware of the transaction and how data will be used in the merged entity. The deal structure between the merging firms also needs to ensure that disputes can efficiently and robustly, which requires a warranty agreement. This agreement factors in any investigations or complaints. 

Both firms need to integrate IT systems and migrate data after the deal. This stage ensures business continuity and updates employees and partners on data privacy policies. As part of this exercise, the following things should happen: 

Detailed discovery should identify personal data footprints in the merged entities, with a joint data inventory mapped out. The process of discovery can be fast-tracked by using artificial intelligence to scan unstructured data (often an uphill task). 

Records of processing are devised to ensure that data is used in the way it was originally intended. 

Customer consent is established, with the thorny issue of how contradictory customer files — common to both merged entities — are processed. 

Data privacy policies and guidelines for the merged entity are designed and implemented. 

A change management training plan is to ensure employees understand and embrace changes in privacy policies and processes. Current privacy regulations clearly outline the need to train employees and are the responsibility of the acquiring organization. 

Access rights from both organizations are in a data subject access request. 

The target operating model of the merged firm is defined, whether it is decentralized, centralized, or hybrid. 

Along with creating an effective post-merger business and operating model. The success of an M&A deal often resides in how quickly and seamlessly the integration phase is completed and how soon synergies are unlocked. Data exchange, quality, and governance technology increase the speed of implementation by automating much of the process. And also reduce the chance that human intervention leads to a data breach. 

The data privacy system 

Managing data security in a comprehensive way is a major undertaking. Companies need to take care of many moving parts. Bring together diverse teams with different skill sets. And keep up to date with the pace of innovation in technology and operating models. At Infosys, we have found that established frameworks and reference architecture for data privacy add another level of insurance to M&A deals. The framework below (Figure 1) includes program and change management, and governance and execution processes across four stages. Collect and analyze; design and synergize; build and transition; and stabilize and monitor. 

Collect and analyze — The as-is status is analyzed, and also processes are documented. Workshops help identify gaps and risks with respect to data privacy, ethics, and regulations — before a gap assessment. 

Design and synergize — The overall privacy architecture and operating model. On the gap reports and workshops, also a road map is out for the acquiring organization. 

Build and transition — This is where the implementation of the target operating model happens. Various mechanisms and measures are to test capabilities. Also, policies and procedures are implemented or revamped in response to the gap analysis report. 

Stabilize and monitor — A trusted partner can also supervise and assess the ongoing risks and output.