In an era of increasing M&A transactions, organizations need to understand the risks and potential liabilities associated with the personal information they obtain about their customers, suppliers and employees. Investors are increasingly turning to data protection advisers in the due diligence process. Organizations looking to form a strategic alliance, refinance their debt, or secure their next round of seed funding will need to be able to answer very specific questions about their data privacy program before the deal closes.
If you are responsible for data privacy in your organization, whether in the legal function or in some other cross-functional role, consider the following requests that we have seen during the due diligence process and how you would respond to a potential investor.
- Provide an overview of the company’s privacy compliance program.
- Provide approved and actual privacy program budgets for the past three years.
- Provide details of the organization’s due diligence on third-party service providers.
- Identify the extent to which the organization hosts customer data, whether on its cloud instance or on on-premises servers.
- Describe the measures taken by the organization to ensure compliance with marketing laws such as CAN-SPAM and TCPA.
- Describe the actions taken by the organization following Brexit.
- Confirm whether the organization’s data processing agreements include the contractual provisions of Article 28 GDPR and the cross-border transfer mechanism.
Is your data inventory in good enough condition to be turned over to an investor for review? Do you have a procedure for responding to consumer complaints? Do you have a privacy budget and plan for your privacy program?
If you are planning mergers and acquisitions in your future, now is the time to make sure that you have a budget to meet privacy requirements. Whether starting from scratch or building on an existing privacy program, your budget should take into account the volume and sensitivity of the data you process, the size of your business and the industry in which you operate, the maturity of your current privacy program and any planned IT projects. and investments in privacy tools.
The larger and more data-intensive a business, the more likely it is to have a managed privacy program in place. In this case, you will need to plan for the costs of running the program as well as future changes, such as handling consumer complaints, operationalizing data retention policies, and pre-checking third-party vendors. If you don’t have a formal privacy program, you will need to plan for one, including hiring staff and investing in technology to support the program.
If your data privacy budget needs to be increased, think about your M&A strategy and what criteria your new investor might consider for your next equities event.