Data Privacy: Essential for Successful M&A Transactions

By Gaurav Bhandari, AVP and Head of Data & Analytics Consulting at Infosys

Last year wasn’t bad for M&A deals. Given the pandemic was in full swing, the value of transactions fell by only 5% from 2019, with a whopping $3.6 trillion spent in M&A activity.[1] Most deals were big company acquisitions, leveraging the technology, capability, and market potential of smaller firms.

Throughout the season, regulators sifted through the paperwork to ensure transactions were compliant with E.U. and U.S. data privacy and security legislation. And no wonder. Even a small data breach can have serious consequences for businesses (think Yahoo’s flash crash after its accounts were compromised[2]), markets, and the viability of the regulators themselves.

To succeed where others fail, big firms should intertwine data privacy and security within the deal itself. This complex task can be broken down to the following four steps.

The M&A data privacy roadmap

1. Benchmark existing privacy exposure during screening: This ensures the deal value is adjusted accordingly, with both parties aware of all possible data vulnerabilities. Acquiring firms can use a compliance maturity measure and if maturity is low (and costs are too high), the deal can be screened out early.
2. Use a clean data room for security and privacy due diligence: This requires that both parties conduct vulnerability mapping exercises within a “clean” data room (i.e., a tightly controlled space with policy in place). Acquiring firms seek to understand what data is collected and how it will be used both pre- and post- deal. This irons out future threats and ensures factors like personally identifiable information (PPI) don’t cause regulatory concern.
3. Weave data privacy into the deal structure: Map what data is stored, how it is used, and what regulations processing of this data should meet. M&A deals also need consent of data transfer within the agreement. Lacking this consent, the deal might be null and void. Further, the firm’s customers should be apprised of potential usage of data post-merger, and a warranty agreement between merging entities should be put in place to take care of any investigations and complaints.
4. Integrate IT systems and migrate data post deal closure. A joint data inventory should be mapped out, with data privacy policies and guidelines in place. This step also requires customer consent for data contradictions between firms. A change management plan should be instituted at this stage, and the post-merger operating model should aim to unlock synergies between both firms with well-defined data access protocols and control levers.

The M&A data privacy framework and reference architecture

Ensuring data privacy and security in M&A is always easier said than done. Beyond putting in place an effective roadmap, our work with clients has helped us develop a framework which can ease the M&A journey of large enterprise. This framework brings together program and change management, governance and, importantly, execution across four key pillars:

• Collect and analyze: Understand the data and process status-quo, and establish gaps and risks using workshops.
• Design and synergize: Based on the gap reports design the privacy architecture and operating model.
• Build and transition: Initiate implementation of the operating model while creating checks and balances with specific measures. This needs to be in line with the initial gap report.
• Stabilize and monitor: Use a trusted partner to constantly assess ongoing risks and outputs.

A data privacy M&A framework is only as good as the underlying reference architecture it uses. This architecture details various data privacy issues and solutions for effective regulatory compliance. The architecture entails:

• Data interaction services: Required to interact with all possible sources of data – customers, suppliers, vendors, and employees. Primarily meant to present privacy policy to users and gather consent.
• Data portability services: Ensures secure movement of data between business and stakeholders.
• Enterprise capabilities: Facilitates data management and processing while fulfilling privacy rights.
• Data/application security: Allows secure storage and processing of data while avoiding any breaches.
• Information governance: Defines all policies including privacy, data, and privacy-reporting components.

Left in isolation, data privacy can have serious negative repercussions for a deal, with many once confident firms unable to execute due to a lapse or breach. While deal value depends on a wide range of factors, putting data privacy into the equation can help executives determine if the deal is worth going ahead or not.

[1] M&A rebounds sharply to hit $3.6tn in 2020, Ortenca Aliaj & James Fontanella-Khan & Arash Massoudi, Dec 31, 2020, FT

[2] The Inside Story of When Verizon Learned of the Yahoo Breach, Craig Silliman, Adam Janofsky, Dec. 17, 2017, WSJ