With recent news surrounding major Mergers & Acquisitions within the digital industry, questions will be raised around what due diligence is being applied to ensure legal obligations around the collection and processing of personal (sometimes sensitive) data under the acquirer.
There may be many legal and compliance aspects which need to be factored in as well as new controls which the acquirer has to put in place as a result of their new acquisition.
Industry Codes of Conduct such as PCI DSS become a subject matter for consideration where the business transacts online via credit card payments. If the new acquisition means that the acquirer enters into a new industry such as Health (and the acquirer has historically been within say – consumer electronics), then regulations relating to health and other sensitive information have form part of the privacy strategy moving forward, and possibly data relating to children.
Geographically, there may be a number of challenges that present themselves. For example, say a US company acquires a business in Europe, then it has to implement appropriate measures and governance that is relevant to each of the local markets, the cultural norms, as well as local regulations. If that seems challenging, then it gets even more interesting when one discovers that the General Data Protection Regulation is adapted differently depending on each EU market.
For example, in the UK, the UK Data Protection Act 2018 states that there are further exemptions (that are not included within the official GDPR text) when responding to a Data Subject Access Request. In Germany, there are amendments to the official text with regards to processing Special Categories of Data, amongst other variations. InSpain, Article 37 (designation of a Data Protection Officer – DPO) carries further obligations than what is in the official text, and there is an additional function for the DPO, in that the DPO may intervene in case of a complaint against a controller or processor with a supervisory authority and communicate to the complainant the organisations resolution within 2 months of the receipt of such complaint (before the complaint is submitted to the supervisory authority *source: iapp.org).
What if your company is divesting a business?
Again, a relevant question given that there are real-world examples of this actually taking place. When divesting a business, there may well be risks associated with the data that is being released, and therefore a thorough assessment of the infrastructure of all, or any part of the entity being divested prior to event must be undertaken to ensure that unauthorised access of any personal information/data is prevented as part of the divestiture process (unless there are specific exceptions – in which case they need to be documented).
It is worth remembering that an organisation can be exposed to unnecessary corporate risk by acquiring companies with differing regulatory obligations. A privacy checklist is a useful tool to help ensure this process is carried out effectively.
For further information on how mergers, acquisitions or divestitures could affect your organisation, feel free to contact us at firstname.lastname@example.org.