Privacy Compliance During Acquisition
Every company has its own data privacy policies and compliance strategy. But what happens when two companies merge, or one buys out the other? And what if one of those companies regularly deals with more jurisdictions or stricter privacy laws, or has a more restrictive approach to privacy policies than the other?
Today, we’ll take a quick look at how business owners can approach privacy compliance during an acquisition.
Explore the Other Company’s Current Approach
Both company leadership teams should discuss each other’s privacy approach and policies as part of the acquisition process. For the buyer, that means:
- Considering the new laws that might apply after the merge
- Getting reassurance and proof that the company being purchased isn’t hiding anything (like security weaknesses that can lead to breaches post-acquisition)
- Outlining their own privacy standards and seeing if the new company is up to the test
For the seller, awareness means:
- Understanding the purchasing company’s privacy standards are
- Double-checking their existing systems for any potential problems that could grow after the purchase
- Considering privacy laws that may or may not apply anymore
Data Privacy Technology Evaluation & Legal Review
The leadership of both companies (as well as their legal teams) should also examine their existing technology and processes for privacy compliance, as well as any planned or proposed changes. One company may very well have a more robust approach than the other. For instance, a California-based business must consider the state’s comprehensive privacy laws every time it collects or processes data. A business based in Texas, a state with no privacy laws currently, has fewer regulations. (This doesn’t necessarily mean that the Texas-based company has a bad privacy approach – it simply means they haven’t had to contend with strict legislation before.) When the two merge, the company with a more robust privacy system may be the best choice to move forward.
Adopting the more comprehensive privacy approach allows the new combined company to begin “future-proofing” itself immediately. A national privacy law may pass in the US soon, and individual states have been adopting their laws. Not to mention the very comprehensive and very strictly enforced privacy laws elsewhere in the world! It’s better to start with a system that can adapt to new laws than to build one from the ground up at the last minute.
Handling Existing Data in Both Systems
Both companies gathered data long before the merge. Now, they face the task of not only combining their separate data collections, but also handling it legally through the whole process. The purchasing company will be responsible for all of this data and any compliance mistakes that they may inherit from the selling business.
Several key considerations here include:
- DSARs: customers still have the right to request their data! The purchasing business should be ready and able to respond to data access requests from its current customers as well as the customers of the seller company.
- Data formatting and storage: one business may keep physical copies of data in filing cabinets while the other uses an entirely electronic system. All of this information must be stored in the same format after the merge.
- Expiring consent: expiration dates for customer consent don’t change during a company merge.
- “Dirty data”: inheriting a poorly maintained data system could mean the buyer company has to identify and remove outdated or incorrect information.
Maintain Privacy Compliance During Acquisition
During a company merge, there’s plenty going on already. Don’t let privacy fade into the background! Get in touch with our team of experts today for help giving your new privacy strategy the attention it needs.