In 2017, the total value of merger and acquisitions (M&As) exceeded three trillion dollars. Some of the more notable M&As in the past year include Amazon’s acquisition of Whole Foods, Intel’s purchase of autonomous vehicle tech firm Mobileye, and Verizon’s acquisition of Yahoo, which became a high-profile example of the cost undisclosed data breaches have on valuations — in this case a $350 million drop in the final price tag.
To better prepare for the growing threat against corporate, customer, and employee data, companies are enforcing new data management and protection practices. One such change is the practice of requiring that each party in an M&A transaction demonstrate compliance with industry privacy and security standards before finalizing a deal. Under the new precondition, buyers and sellers are making more granular requests for visibility into the other side’s entire information repository and lifecycle to safeguard their own business assets and brands.
While the extent of required compliance varies with each buyer, seller, and deal, it is a key component now nonetheless. From pre- to post-M&A, all parties should consider how their privacy and data security posture could have a material effect on the proposed deal. To that end, here are a few key points to consider when you’re entering a deal:
In a world of growing cyber threats and attacks, these privacy and data security considerations actually go far beyond just M&As. They can help businesses understand the ramifications of worst case scenarios and for evaluating the impact of data security and privacy solutions and policies on company value. Regulators are also more acutely monitoring companies’ privacy practices and statements. For instance, the EU General Data Protection Regulation (GDPR), the most sweeping change to data protection in the past 20 years, will impact any U.S. company that handles EU resident data. Failure to comply with GDPR by the mandated May 25 deadline may lead to fines of up to €20 million or 4 percent of global annual turnover, whichever is higher.
In today’s business climate, not adhering to privacy and data protection practices risks leaving money on the table in M&A deals, incurring regulatory fines, and losing brand assets.