“In the Digital Age, Every M&A Transaction Has Digital Considerations” – The Conference Board
Mergers & Acquisitions are a driving force across every industry, with 2020 seeing significant deals totalling around $3.6 trillion. In an age where everything is connected and data flows freely between those connections, data involvement during an M&A is now a paramount consideration for security and privacy compliance.
This fact is being echoed by the regulators. The European Data Protection Board (EDPB) recently published a statement covering the impact of data privacy when companies merge. The concern centres on the accumulation and combination of a rich data mix, the privacy of which, may be lost during the M&A process. However, RegTech, or Regulatory Technology, which is designed to de-risk the M&A privacy conundrum, can come to the privacy rescue, helping organisations to the avoid onboarding data protection risk.
The digital breadcrumbs within an M&A
Due diligence has always been a vital part of the M&A process. To ensure that a merger progresses smoothly, company assets need to be identified and consolidated. Documents that cover financials, corporate records, contracts, NDAs, patents, and so on, are consolidated under the due diligence banner. It is an intensive process from both a legal, personnel and technical perspective.
Modern M&As have a further layer of complexity to deal with – digital due diligence and privacy and security regulatory compliance. As organizations digitise operations, digital due diligence becomes a vital part of the M&A process. Acquisitions bring not only innovation and sales to the purchaser, but they also add, often vast amounts, of digital data and the equivalent associated risk of handling it.
The EDPB statement mentioned previously reflects the situation in relation to M&As by outlining the issues with consolidation and sharing of merged data. The EDPB view on digital due diligence during an M&A was a reaction to the acquisition of Fitbit, Inc. by Google LLC. The EDPB being concerned about the privacy impact of a merger of two, particularly data-rich, entities. The EDPB highlights the need to be cognizant of the:
“obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger.”
The EDPB also emphasised in the statement that these privacy risks must be mitigated before:
“notifying the merger to the European Commission.”
But where does this leave the rest of the business world when considering M&As? How is this data and compliance risk mitigated and dealt with?
Merging and mitigating privacy risk during an M&A
An M&A brings with it significant compliance risk. This risk was felt keenly by Marriott International Inc., in the, now infamous, 2018 data breach. The breach affected Starwood Hotels and Resorts Worldwide, Inc., customer data; Starwood being acquired by Marriot in 2016. Notably, the data breach occurred before the acquisition but was not discovered until after the M&A was complete. The UK’s ICO confirmed the problem in a statement:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Marriot was subsequently fined almost £100 million ($139 million).
The fact is that in any acquisition, the parent company will be held to account for any privacy or security failure by the acquired company. Performing deep and effective privacy and security due diligence requires visibility and a digital-first approach to the M&A process: simply put, if you don’t know what information you have, you can’t control it.
A digital-first view of M&As using Regulatory Technology (RegTech)
De-risking data privacy and data security during an M&A is an integral part of the process. Organisations frequently have the desire to avoid the onboarding of risk, but in the data-rich world of the modern enterprise, this is complicated by lack of visibility. According to Gartner Inc., only 37% of firms have an information governance framework that can adapt to the changing regulatory landscape.
It seems that handling data privacy through M&As remains somewhat an ‘elephant in the room’. Fortunately, it doesn’t need to be this way. RegTech is designed to automate and enable the work required to meet data-focused regulations within a data-rich environment. It also provides the extra help needed to complete M&As on time and within the regulatory requirements.
Functionality that is vital to ensuring compliance maps between the two entities and continues seamlessly throughout the M&A process includes:
Data visibility through eDiscovery or RegTech: One of the core remits of RegTech solutions is the ability to locate data across the entire data real estate of an organisation. Systems such as the RegTech platform, Savannah (Savannah Discovery and Redaction System) are used to discover data and then map these data against privacy regulations such as GDPR and CCPA. This data discovery capability is the missing component of digital due diligence during an M&A.
Capture of documentation: M&As take time, with the time to completion increasing by 30% in the last decade, according to Gartner Inc. One of the ways to reduce time to completion is to automate document capture using a specialist document scanning capability ahead of the proposed M&A.
Privacy and security are no longer M&A afterthoughts
Privacy and security of data are an integral part of good company governance. Data breaches are costly both in terms of financial losses and in customer trust. M&As add a significant risk of taking on another company’s poor data protection practices and opening up gaps in the overall data governance and compliance of the merged organization. This is backed up by evidence such as that from West Monroe Partners and Mergermarket, in a study, “Testing the defenses: Cybersecurity due diligence in M&A”. In the survey, 80% of participants said cybersecurity was “highly important” during an M&A, with 40% identifying a cybersecurity breach after the merger was complete. But cyber security is of course only part of the picture and not the entire solution.
Consider the objective of both sides of a transaction:
- An organisation that successfully makes Data Privacy a strategic priority will have reduced the risk of potential cyber-attacks by understanding its exposure to data protection risk, ensuring it holds only the data it needs and putting in place appropriate technical and organisational measures to protect it. In turn, it will very likely increase its value in the process.
- On the other side, an acquiring organisation that successfully conducts digital due diligence will mitigate risk during the process and potentially positively influence the purchase price in their favour.
Either way, the need for deep and effective digital due diligence is augmented by research from Angel Capital Education Foundation that shows greater due diligence results in greater overall exit multiples.
RegTech provides the tools to understand exposure to data protection risk, move to mitigate it and aide more comprehensive and compliant M&A transactions, even across the most data-rich company real estate.
If you would like to know more about how our technology could be deployed to understand data protection risk and support digital due diligence throughout your M&A activity, get in touch using the form below and we’ll get back to you as soon as we can.