How to Plan for Data Privacy in Business Acquisitions

, ,

In business, data can be an asset or a liability—and many times it can be both. For those interested in buying a business, data privacy considerations have changed in the past few years. With the General Data Protection Regulation (GDPR) and state privacy regulations like the California Consumer Protection Act (CCPA) in place, buyers interested in business acquisitions have to know what they could potentially be taking on in terms of opportunities or risk. 

This is especially applicable to companies who operated prior to the GDPR, and may have obtained third-party data prior to EU regulations coming into effect.

No one wants to be caught off guard, especially when you’re set to expand your business holdings. And you definitely don’t want to find yourself breaking consumer trust through privacy missteps before a business acquisition is even complete. The best thing you can do to protect yourself is to be thorough and diligent—and keep your eye on privacy issues. 

Before you sign on the dotted line, weigh the following considerations when it comes to potential acquisition, privacy concerns, and protecting your interests. 

What does due diligence show you about their privacy practices?

If you’re in the market for acquisitions, you already know this: thorough due diligence is critical to potential business acquisitions. Potential buyers need to understand what it is they’re buying. A thorough audit of a business’s current data collection practices is key to spotting any potential liabilities—or opportunities—for your team. 

But does your due diligence cover privacy practices?

Here are some privacy-related issues to include in your audit.

How data is collected

  • How does the business collect information from both consumers and employees?
  • In which jurisdictions does this business operate and collect data? Consider this at both the regional and sectoral levels.
  • Does the business’ data collection procedure align with current policies in places it operates, with the correct privacy notices?

What data is collected

  • Find out exactly what categories of personal information the business collects. Does any of it qualify as sensitive or special categories of personal information as defined by applicable jurisdictions?
  • Does this collection practice align with the business’ policies and disclosures? 
  • Has personal data been correctly cataloged? 
  • At what scale does the business collect personal information? Does it only collect employee or client data, or does it also collect other third-party information?

How data is stored

  • Where does the business store their collected data? 
  • How does the business protect personal data stored on paper (such as any printed files), compared to data collected and stored electronically?
  • What storage system does it employ? 
  • How does it maintain records of consent for shared data?

Visiting a business’ facilities to verify practices can be a valuable act of due diligence in situations. This can include visiting their digital sites to assess privacy practices such as opt-in consent, privacy notices and should also include meetings with engineers and developers as applicable to understand the data lifecycle.. 

Who else has access to the collected data 

  • What vendors or third parties may have access to any information the seller collects? 
  • What are the business’s vendor policies and third party agreement? How are third parties using any collected data? 
  • How does data access vary across employees? Do all employees have access to the same systems? How are employees vetted? 
  • What contracts does the company have with vendors? What level of data access do the contracts grant vendors? Do the contracts include provisions for privacy and security measures? 

Current compliance procedures 

  • How does the seller currently disclose its data privacy procedures? 
  • How does its policies vary across platforms, such as social media platforms or email marketing? 
  • Are the business’ records up to date? 

Security and history of data protection

  • Does the business have a history of data breaches or security incidents? 
  • How has the company reacted to changing privacy laws and regulations? 
  • Does the business have any outstanding claims or investigations related to data privacy? 
  • What security does the company have in place? This can vary from physical security to electronic firewalls, network security, authentication requirements, and personnel authorizations.

Once you have a complete understanding of the state of data privacy and protections in a potential business, you should be able to better determine if their personal data collection practices and privacy activities would be added value or added liability.  

In addition to a complete audit of the company in question, it’s also smart to consider how their data would become your data. Does that data automatically transfer ownership? Does the seller have the right to transfer that information? 

How will privacy regulations apply to the acquisition? 

Data policies vary between locations. For example, the EU has the GDPR—but its policies extend if you collect data from an EU citizen, even if you’re based in the U.S. 

Within the U.S. itself, different states, such as Virginia, California, Colorado, Connecticut, and Utah all have their own data protection acts. 

Review where the business operates, and how its operations may impact what data transfers to new ownership, as well as how it can be used. As your purchase progresses, ask what data the company will transfer in the sale, including any personal data they’ve collected. 

Other key information includes:

  • What personal data does the seller have the right to transfer, based on government regulations and their own privacy policies?
  • What personal data does the buyer have the right to use?
  • Can the subject’s consent transfer to the new owner, or would you have to re-obtain consent for their personal information? (In some cases, consent may not be transferable unless it was reflected in the privacy policy when consent was originally obtained.)
  • If the business is processing data for a third party, how does that affect its data sharing capabilities in the event of a purchase or change in ownership?

How do you plan to use the data?

Just because you’ve purchased a business and obtained their collected data, that doesn’t automatically mean you have the right to use it. If you plan to use the data for substantially different purposes, you may have to re-obtain consent depending on regulations. (And even if you can use said data, that doesn’t necessarily mean that customers will appreciate it being put to use. Before you deploy any new data, consider the reputational risks at stake.) 

Similarly, if you plan to change storage locations for the data, the data storage location has to comply with any applicable regulations, similar to the data collection itself. For example, data collected from the EU may require different privacy shields compared to data collected elsewhere. 

Additionally, you will need to determine how you can share that data, and ensure any transferred data can be pulled over with adequate third-party sharing policies, depending on your needs. 

Data privacy to-do’s during a sale

If you decide to move forward in buying a business, there are steps you can take to further protect your business prospects. 

  • Have all related parties sign NDAs that include robust data protection clauses. 
  • Double check that any data sharing agreements are already in place for all parties involved in the sale.
  • Ensure that data storage, including any data rooms, are properly secured and that only authorized personnel can access the data. 
  • Have a security plan in place in case there is a data breach during the transfer of ownership.
  • Ensure employees, old or new, have been properly trained regarding any change in data privacy or collection. 

Once a sale is finalized, the Federal Trade Commission recommends that businesses also consider disposing of any unused information through the proper channels. This can protect the new owners from any liability that could result from personal information lying around or vulnerable to theft. Only keep the information you need. 

Ensure your business acquisition is an asset, not a liability

The prospect of buying a business is exciting, and can be incredibly rewarding. When it comes to acquisitions, knowledge is power. The more you know about a business, the more effectively you can hit the ground running. 

When it comes to buying a business, the last thing you need is an unexpected data governance liability. While it can be confusing to navigate through data privacy and compliance regulations, data can also be a huge asset when handled correctly. 

Want to make sure you get things right? Schedule a call with the privacy experts at Red Clover today.