Privacy and data security considerations, far from being relevant solely for international data transfer or data breach reasons, have come to play a central role in today’s mergers and acquisitions (M&A) landscape — for buyers and sellers alike.
There are several practical privacy and data security considerations that companies should keep in mind during the mergers and acquisitions process. Each phase of the merger and acquisition process has its own specific considerations. The following are examples from each of those phases discussed in the Privacy Advisory: Privacy and Data Security in Mergers & Acquisitions.
I. Pre-M&A Planning and Internal Strategy/Objectives
EU General Data Protection Regulation (GDPR) Compliant — Has any M&A-interested party been assessed against the EU GDPR law that takes effect on May 25, 2018, which may impact any company that handles EU resident data? Have the same companies also assessed or requested that their own partners/vendors be GDPR-compliant?
II. The Due Diligence and Pre-Signing Stages
At a minimum, all parties involved will need to evaluate their privacy notices — for all products, services, and regions, whether covering mobile devices, an ad tech platform, or a marketing website, to name a few — to identify any potential areas where they may implicate different countries’ domestic legislation such as in the U.S., with the FTC Act § 5 covering unfair or deceptive practices.
III. Post-Signing and Post-Closing
Regulatory Reviews—Will a special regulatory review—which often sees voluminous requests for internal records—be necessary based on the publicly-traded nature of the parties, the proposed deal’s financial valuation, or because the transaction implicates a highly-regulated industry?
To read the entire advisory, which includes best practices and examples, download it here.