The insights industry is no stranger to mergers and acquisitions. Here are key considerations for mergers and acquisitions, and how to effectively navigate data protection.
Mergers and acquisitions are common in the data and insight industry. Last year’s Capital Funding Index from Cambiar Consulting recorded a huge $2.89 billion being pumped into the industry in 2018, and that doesn’t include the staggering $8 billion acquisition of Qualtrics by SAP.
In times of crisis, we often see an increase in mergers and acquisitions, with smaller but still valuable companies running out of the capital reserves/liquidity they need to remain operational. For larger companies, this presents an opportunity to expand operations, increase capabilities, or perhaps even remove competitors.
In today’s economy, data is the most valuable asset a company can possess, particularly in the insights sector. Panels, trackers, and forecasting models that have been built over the years, maybe even decades, are unquestionably the main source of a research company’s value. What’s more, in an increasingly global industry with a range of national and international legislations to take into account, protecting data and ensuring its security is vitally important during a merger or acquisition. Due diligence is a must.
Identifying privacy risks
For an acquirer considering an acquisition, it is important to fully identify potential data privacy risks. You may wish to start by considering the categories of personal data the company processes given the sector in which it operates, and in particular, whether that processing involves a lot of sensitive personal data, or perhaps even sensitive proprietary information. This type of data often requires additional layers of security and attention.
Before delving more deeply into data privacy due diligence and what this means, do bear in mind that depending on the region the company is based in, you will have to analyse compliance in accordance with the local or regional laws, such as the General Data Protection Regulation (GDPR) in Europe, or the California Consumer Privacy Act (CCPA) in California.
As an acquirer, you will have to understand the complex web of third-party processors the company may already work with, or on behalf of, and identify the extent of international data transfers. Here you must also pay attention to any cloud providers and how and where the data is stored, as well as which contracts and data processing agreements have been concluded by the company. These are all factors that if not properly understood, can lead to serious problems later on.
Most importantly you should find out whether the company has suffered data breaches in the past, how they documented and mitigated the risks arising from such a breach, as well as how they dealt with the matter overall. Does the company have a data breach event framework in accordance with the law, along with the necessary procedures to document and explain the incident? If not, you may wish to consider the potential additional investment that would arise from putting such processes and systems in place.
This is only the start of the type of data privacy due diligence a potential acquirer should carry out in order to avoid complications further down the line.
Cybersecurity and IT risks are key considerations too
Leading on from the due diligence around past data breaches, so too you must consider the potential level of exposure to future data breaches. To find out more about this, start by reviewing whether the company has an Information Security Policy, and adequate security controls to keep data secure.
Does the company employ specialized security personnel, conduct regular risk assessments, and vulnerability and penetration testing of systems? In this context, it is also important to consider potential risks that may seem too obvious or simplistic to address, but are key nonetheless – does the company protect the physical security of its personal data assets and facilities?
Whilst it is important to have security personnel on-site to lead the efforts on cybersecurity, part of your due diligence will also be to check whether employees have had adequate data privacy training, particularly those employees that handle personal data as part of their daily roles which, in our sector, is highly likely. Though you may discover that from a documentation perspective all is in order, it is just as vital to ensure that personnel are aware of these policies and procedures and feel comfortable implementing them in their daily operations. Have they been trained on how to secure the personal data they need for a project with when working from home, for example? This last point is particularly pertinent under the current circumstances.
When thinking about potential cybersecurity risks, these matters are merely a starting point for having a transparent conversation about what both parties may expect as they move towards a potential new partnership.
Data privacy and cybersecurity are now firmly on the map as key considerations during a merger or acquisition. One of the less-discussed parts of this is the potential reputational damage that could be incurred if personal data has been mistreated, or if there has been a past undisclosed data breach that you only become aware of after the transaction, once it is too late.
A comprehensive due diligence review is no longer only for the tech-savvy businesses out there but is something achievable by and necessary for companies large and small across the world.
This article was first published here.
