SlideShare a Scribd company logo
1 of 24
Download to read offline
1
© 2022 TrustArc Inc. Proprietary and Confidential Information.
Data Privacy:
The Hidden Beast within Mergers & Acquisitions
2
Speakers
Darren Abernethy
Shareholder,
Ad Tech, Data Privacy & Cybersecurity,
Greenberg Traurig, LLP
abernethyd@gtlaw.com
https://www.linkedin.com/in/djabernethy/
Paul Iagnocco
Customer Enablement Lead and Senior
Privacy Consultant,
TrustArc
piagnocco@trustarc.com
https://www.linkedin.com/in/paul-iagnocco/
3
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
4
Mergers & Acquisitions (M&A) Overview
Pre-Planning M&A Process
M&A Due Diligence Considerations
Agenda
Privacy & Data Security for Start-Ups
M&A Post-Signing Considerations
Foundational Prep – Data Inventory and Mapping
Questions & Answers
5
Privacy and data security considerations,
far from being relevant solely for international data transfer or data breach reasons,
have come to play a central role in today’s mergers and acquisitions (M&A)
landscape — for buyers and sellers alike.
In a Data Economy > Data is a valuable asset.
6
M&A Buyers & Sellers
Buyers
Buyers Sellers
7
1 Develop a Strategy 2
Identify
Targets 3
Information
Exchange 4
Valuation,
Opportunities
& Synergies
5
Offer and
Negotiation
6 Due Diligence
7 Purchase
Agreement
8 Deal Closure &
Integration
START
END
Typical M&A Process
8
Mergers & Acquisitions:
Pre-Planning
9
Whether a prospective buyer or target, as a pre-condition to participating
in any merger or commercial transaction,
a company should assess and fully understand its own privacy program,
especially data flows and the types of data collected, information security practices,
partners’ data inputs and outputs and contractual obligations.
10
Pre M&A Planning
Strategy &
Internal Review
Assess and understand internal
privacy program - maturity
Assess data flows, type of data
collected, information security
practices
Consider how your privacy and
data security could impact the
proposed deal
Consider your risk profile and
any data processing partners
Considerations &
Questions
Do you have visibility into the
entire information life cycle?
Are you a mainly a Data Controller
or a Data Processor?
Does your privacy program
have C-Suite Buy-In?
Are there specific regs or
frameworks that are relevant?
At what level of compliance?
Geographical
Considerations
Clarity on established locations;
What are goods/services
offered in each area?
Are there int’l data transfers
happening today?
Are they subject to specific
agreements or regulations?
(e.g., GDPR SCCs)
Will the M&A itself create a
cross-border transfer situation?
What about monitoring or
OBA tracking?
Data localization applicability?
11
Mergers & Acquisitions Due Diligence:
- Virtual Data Room
- Notice & Terms
- Data Privacy and Security
- Vendors & Service Providers
- Employee Data
- Representation & Warranties Insurance Underwriters
- Other Considerations
12
The extent to which data privacy and security are the focus of a M&A
deal will depend on the underlying specifics:
- volume, sensitivity and origins of the data involved industries implicated
- ready and able to demonstrate internal privacy and data governance practices
- honored external privacy promises
- data subject control of their personal data
Evaluation of buyers and sellers is wide-ranging and
uniquely varies with each transaction.
13
M&A Due Diligence
Privacy Notices
and Terms of Use
Obligations attached to any given
personal data at the time of
collection?
Adequate disclosures provided
at time of collection? Compliant
with local regulations?
Current or legacy privacy
promises/conditions that will
NOT be honored?
Legacy policies or related data
subject consents exist that may
need to be amended/refreshed?
Data Security Considerations
Are D/PIAs on file to demonstrate the
company’s precautions before “high
risk” data processing?
If dependent on legitimate basis –
need to demonstrate
“balance test”
Full analysis of infosec programs, in
terms of formal protocols followed,
documented policies, employee
training, internal or external audits.
History of any known or suspected data
incidents, cyberattacks and the
responses taken on all accounts.
Need to demonstrate breach response
plans, disaster recovery and business
continuity plans – have they been
tested?
Are there any past, present
or prospective (known)
legal actions?
Levels of encryption used throughout
the organization and how is this
determined and monitored?
Methods of de-identification or
pseudonymization of data?
14
M&A Due Diligence (continued)
Vendors and Service Providers
Who are the vendors and service
providers of the parties involved?
What are their roles?
What are the relationships
concerning personal data
transfer/usage—contractually
and in day-to-day practice?
Comprehensive vendor management
program in place vetting possible
vendors’ data privacy and security
practices before working with them?
What are their data
retention policies?
Written contract in place - vendor
(data processor) and data owner
(data controller)? Include necessary
support from data processors,
especially related DSAR actions?
Are vendor audits conducted
for contract compliance?
What about SLAs?
Obligation to notify data controller of
security incidents, facilitate subject
access requests, or maintain
“reasonable” technical and
physical safeguards?
Do the parties have proper
documentation for their employee
privacy policies?
How do the parties intend to handle
the transfer of employee data in the
event of a merger?
Employees been informed of their
individual privacy rights and the
means to exercise those rights?
Are there subcontractors? Is approval
required for a vendor to engage
subcontractors?
Does any party have potential issues
from lax HR policies?
Might a new entity need to seek a
legal transfer mechanism?
Employee Data
15
M&A Due Diligence (continued)
Other Considerations
Do the parties have clarity (post
data inventorying and mapping)
the applicable federal, state/provincial
and/or international laws that may be
triggered moving forward?
What will be the scope of various
representations and warranties?
Do any parties have cyber insurance,
data breach insurance, and/or director
& officer insurance policies in place?
Will they need adjustment?
Consider the breadth of any NDAs and
due diligence review logistics (e.g.,
secure data rooms, watermarking,
what to be shared, etc.
What privacy- or data security-related
closing conditions will be required of
the parties?
Have individuals on all sides of
transaction been designated to
oversee the legal and technical
measures that must be in place to
avoid unauthorized disclosures?
What exactly will be included within
the definition of “personal data”?
Bankruptcy
Get your financial house in order.
Providing value of data is important
no matter what.
Be prepared for creditors
16
Privacy & Data Security Considerations for Start-Ups
Build a privacy-centric business culture
• Establish enterprise-wide principles
• Transparency to build customer trust
• Align with Marketing
Build business from day 1 based on “Privacy by Design” principles
• Proactive NOT Reactive
• Privacy as the Default Setting
• Privacy Embedded into Design
• Full Functionality – Positive-Sum, not Zero-Sum
• End-to-End Security – Full Lifecycle Protection
• Visibility and Transparency – Keep it Open
• Respect for User Privacy – Keep it User-Centric
Build a Privacy Program that matures with the Business
• Always screen for the collection of PII
• Complete and maintain data inventories – understand risk
• Align with purchasing or procurement – Is processing of PII being done?
• Always be prepared to demonstrate what has been done
17
Post-Signing Considerations
18
Depending on factors ranging from the deal’s size,
to the volume of data and the industries involved,
a transaction’s post-signing can take different paths:
- regulatory reviews
- requests to update or exit voluntary frameworks
- considerations of integration planning among the parties
19
M&A Post-Signing
Post-Signing Considerations
Will a special regulatory review—which
often sees voluminous requests for
internal records—be necessary?
Is there any data, personal or
otherwise, that is determined as not
germane to the merged entity or overly
sensitive/unwanted such that it will be
intentionally excluded from the data
transfers among the parties
(e.g., deleted, returned or aggregated)?
Integration Planning:
• How will the companies’ policies be revised and/or combined?
• How will employee/HR records be integrated?
• Whose infrastructure will be used and whose data will be ported in?
• What new consents must be requested of data subjects for
secondary or materially new purposes?
• How will new vendors be assessed and monitored going forward?
• How will the companies’ information security frameworks be
aligned?
• How will an APEC CBPR- or Privacy Shield affiliated company
integrate an as-yet non-compliant new affiliate into the corporate
family?
• Must any other regulators be notified?
How will the deal’s transactional
documents account for privacy- and
data security-related issues that
arise after the deal is consummated?
How is accountability shared?
20
Foundational Prep –
Data Inventory and Mapping
21
Data Inventory and Mapping
1. Whether you want to buy or sell your company it is essential that you perform the proper due diligence when it comes to privacy
2. Data Inventory Hub and Mapping can help:
• Identify data flowing into and out of business
• Where are potential areas of risk in the business process
• What instruments of compliance need to be addressed – regulatory reports
• Identify where to access data for customer DSARs
A proper data inventory should tell a “data” story –
data types, processing, sharing, risks, etc. about the overall data life cycle in a business.
22
22
Attendee Q&A
23
23
Interested in TrustArc Solutions for M&A?
24
24
Thank You!
See http://www.trustarc.com/insightseries for the 2022
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.

More Related Content

Similar to Data Privacy: The Hidden Beast within Mergers & Acquisitions

Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentiality
Prithvi Ghag
 

Similar to Data Privacy: The Hidden Beast within Mergers & Acquisitions (20)

California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf
 
Data Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptxData Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptx
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
A P/C Insurance Data Modernization Journey Featuring Pekin Insurance, ValueMo...
A P/C Insurance Data Modernization Journey Featuring Pekin Insurance, ValueMo...A P/C Insurance Data Modernization Journey Featuring Pekin Insurance, ValueMo...
A P/C Insurance Data Modernization Journey Featuring Pekin Insurance, ValueMo...
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
 
PrivacyOps Framework
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps Framework
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
What is CT- DPO.pdf
What is CT- DPO.pdfWhat is CT- DPO.pdf
What is CT- DPO.pdf
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Asset Security
Asset Security Asset Security
Asset Security
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC  approach to GDPR V 0.1 www.3grc.co.uk3GRC  approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
Looking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance DeadlineLooking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance Deadline
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentiality
 
2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
 

More from TrustArc

TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
TrustArc
 

More from TrustArc (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act:  Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act:  Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Data Privacy: The Hidden Beast within Mergers & Acquisitions

  • 1. 1 © 2022 TrustArc Inc. Proprietary and Confidential Information. Data Privacy: The Hidden Beast within Mergers & Acquisitions
  • 2. 2 Speakers Darren Abernethy Shareholder, Ad Tech, Data Privacy & Cybersecurity, Greenberg Traurig, LLP abernethyd@gtlaw.com https://www.linkedin.com/in/djabernethy/ Paul Iagnocco Customer Enablement Lead and Senior Privacy Consultant, TrustArc piagnocco@trustarc.com https://www.linkedin.com/in/paul-iagnocco/
  • 3. 3 Legal Disclaimer The information provided during this webinar does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented during this webinar are for general informational purposes only.
  • 4. 4 Mergers & Acquisitions (M&A) Overview Pre-Planning M&A Process M&A Due Diligence Considerations Agenda Privacy & Data Security for Start-Ups M&A Post-Signing Considerations Foundational Prep – Data Inventory and Mapping Questions & Answers
  • 5. 5 Privacy and data security considerations, far from being relevant solely for international data transfer or data breach reasons, have come to play a central role in today’s mergers and acquisitions (M&A) landscape — for buyers and sellers alike. In a Data Economy > Data is a valuable asset.
  • 6. 6 M&A Buyers & Sellers Buyers Buyers Sellers
  • 7. 7 1 Develop a Strategy 2 Identify Targets 3 Information Exchange 4 Valuation, Opportunities & Synergies 5 Offer and Negotiation 6 Due Diligence 7 Purchase Agreement 8 Deal Closure & Integration START END Typical M&A Process
  • 9. 9 Whether a prospective buyer or target, as a pre-condition to participating in any merger or commercial transaction, a company should assess and fully understand its own privacy program, especially data flows and the types of data collected, information security practices, partners’ data inputs and outputs and contractual obligations.
  • 10. 10 Pre M&A Planning Strategy & Internal Review Assess and understand internal privacy program - maturity Assess data flows, type of data collected, information security practices Consider how your privacy and data security could impact the proposed deal Consider your risk profile and any data processing partners Considerations & Questions Do you have visibility into the entire information life cycle? Are you a mainly a Data Controller or a Data Processor? Does your privacy program have C-Suite Buy-In? Are there specific regs or frameworks that are relevant? At what level of compliance? Geographical Considerations Clarity on established locations; What are goods/services offered in each area? Are there int’l data transfers happening today? Are they subject to specific agreements or regulations? (e.g., GDPR SCCs) Will the M&A itself create a cross-border transfer situation? What about monitoring or OBA tracking? Data localization applicability?
  • 11. 11 Mergers & Acquisitions Due Diligence: - Virtual Data Room - Notice & Terms - Data Privacy and Security - Vendors & Service Providers - Employee Data - Representation & Warranties Insurance Underwriters - Other Considerations
  • 12. 12 The extent to which data privacy and security are the focus of a M&A deal will depend on the underlying specifics: - volume, sensitivity and origins of the data involved industries implicated - ready and able to demonstrate internal privacy and data governance practices - honored external privacy promises - data subject control of their personal data Evaluation of buyers and sellers is wide-ranging and uniquely varies with each transaction.
  • 13. 13 M&A Due Diligence Privacy Notices and Terms of Use Obligations attached to any given personal data at the time of collection? Adequate disclosures provided at time of collection? Compliant with local regulations? Current or legacy privacy promises/conditions that will NOT be honored? Legacy policies or related data subject consents exist that may need to be amended/refreshed? Data Security Considerations Are D/PIAs on file to demonstrate the company’s precautions before “high risk” data processing? If dependent on legitimate basis – need to demonstrate “balance test” Full analysis of infosec programs, in terms of formal protocols followed, documented policies, employee training, internal or external audits. History of any known or suspected data incidents, cyberattacks and the responses taken on all accounts. Need to demonstrate breach response plans, disaster recovery and business continuity plans – have they been tested? Are there any past, present or prospective (known) legal actions? Levels of encryption used throughout the organization and how is this determined and monitored? Methods of de-identification or pseudonymization of data?
  • 14. 14 M&A Due Diligence (continued) Vendors and Service Providers Who are the vendors and service providers of the parties involved? What are their roles? What are the relationships concerning personal data transfer/usage—contractually and in day-to-day practice? Comprehensive vendor management program in place vetting possible vendors’ data privacy and security practices before working with them? What are their data retention policies? Written contract in place - vendor (data processor) and data owner (data controller)? Include necessary support from data processors, especially related DSAR actions? Are vendor audits conducted for contract compliance? What about SLAs? Obligation to notify data controller of security incidents, facilitate subject access requests, or maintain “reasonable” technical and physical safeguards? Do the parties have proper documentation for their employee privacy policies? How do the parties intend to handle the transfer of employee data in the event of a merger? Employees been informed of their individual privacy rights and the means to exercise those rights? Are there subcontractors? Is approval required for a vendor to engage subcontractors? Does any party have potential issues from lax HR policies? Might a new entity need to seek a legal transfer mechanism? Employee Data
  • 15. 15 M&A Due Diligence (continued) Other Considerations Do the parties have clarity (post data inventorying and mapping) the applicable federal, state/provincial and/or international laws that may be triggered moving forward? What will be the scope of various representations and warranties? Do any parties have cyber insurance, data breach insurance, and/or director & officer insurance policies in place? Will they need adjustment? Consider the breadth of any NDAs and due diligence review logistics (e.g., secure data rooms, watermarking, what to be shared, etc. What privacy- or data security-related closing conditions will be required of the parties? Have individuals on all sides of transaction been designated to oversee the legal and technical measures that must be in place to avoid unauthorized disclosures? What exactly will be included within the definition of “personal data”? Bankruptcy Get your financial house in order. Providing value of data is important no matter what. Be prepared for creditors
  • 16. 16 Privacy & Data Security Considerations for Start-Ups Build a privacy-centric business culture • Establish enterprise-wide principles • Transparency to build customer trust • Align with Marketing Build business from day 1 based on “Privacy by Design” principles • Proactive NOT Reactive • Privacy as the Default Setting • Privacy Embedded into Design • Full Functionality – Positive-Sum, not Zero-Sum • End-to-End Security – Full Lifecycle Protection • Visibility and Transparency – Keep it Open • Respect for User Privacy – Keep it User-Centric Build a Privacy Program that matures with the Business • Always screen for the collection of PII • Complete and maintain data inventories – understand risk • Align with purchasing or procurement – Is processing of PII being done? • Always be prepared to demonstrate what has been done
  • 18. 18 Depending on factors ranging from the deal’s size, to the volume of data and the industries involved, a transaction’s post-signing can take different paths: - regulatory reviews - requests to update or exit voluntary frameworks - considerations of integration planning among the parties
  • 19. 19 M&A Post-Signing Post-Signing Considerations Will a special regulatory review—which often sees voluminous requests for internal records—be necessary? Is there any data, personal or otherwise, that is determined as not germane to the merged entity or overly sensitive/unwanted such that it will be intentionally excluded from the data transfers among the parties (e.g., deleted, returned or aggregated)? Integration Planning: • How will the companies’ policies be revised and/or combined? • How will employee/HR records be integrated? • Whose infrastructure will be used and whose data will be ported in? • What new consents must be requested of data subjects for secondary or materially new purposes? • How will new vendors be assessed and monitored going forward? • How will the companies’ information security frameworks be aligned? • How will an APEC CBPR- or Privacy Shield affiliated company integrate an as-yet non-compliant new affiliate into the corporate family? • Must any other regulators be notified? How will the deal’s transactional documents account for privacy- and data security-related issues that arise after the deal is consummated? How is accountability shared?
  • 20. 20 Foundational Prep – Data Inventory and Mapping
  • 21. 21 Data Inventory and Mapping 1. Whether you want to buy or sell your company it is essential that you perform the proper due diligence when it comes to privacy 2. Data Inventory Hub and Mapping can help: • Identify data flowing into and out of business • Where are potential areas of risk in the business process • What instruments of compliance need to be addressed – regulatory reports • Identify where to access data for customer DSARs A proper data inventory should tell a “data” story – data types, processing, sharing, risks, etc. about the overall data life cycle in a business.
  • 23. 23 23 Interested in TrustArc Solutions for M&A?
  • 24. 24 24 Thank You! See http://www.trustarc.com/insightseries for the 2022 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.