By now, most companies understand that data privacy issues should be part of routine due diligence when evaluating a proposed transaction. Acquiring parties need to look-out for potential privacy related liabilities based on the target’s compliance with applicable data protection laws. Target companies need to be prepared to respond to such inquiries, and address any potential gaps or issues.
As part of the due diligence process, acquiring parties should address data-related information that will ultimately relate to warranties and indemnities that they would likely want to obtain from the target. For example:
- Has the target had data breaches or been engaged in data privacy disputes; if yes, what were the results and resolutions?
- Does the target have adequate IT and cybersecurity mechanisms in place; if not, what is missing?
- Does the target conduct regular data compliance audits; if yes, what were the results of those audits?
- Does the target have cyber insurance policies; if so, what is covered?
- Does the target have appropriate data and privacy protection policies and, is there a compliance officer in charge of monitoring compliance with the policies?
Another important diligence aspect that parties to a transaction must consider is whether data held by the target can be shared taking into account both the scope of any data consents and any exemptions or prohibitions that may exist in governing data protection laws.
Substantively, most countries have laws restricting buying and selling personal data, but in the case of an acquisition it is possible those protections could effectively disappear when a company is acquired. As a consequence, regulators are likely to closely scrutinize this issue in data-driven transactions. So, parties embarking on data-driven mergers that may be subject to regulatory merger reviews would be well served to include individuals with privacy expertise as part of the team engaging in the merger discussions with regulators.