With data privacy firmly in the public consciousness and calls for regulation made daily, inquiries into the data practices of an acquisition target, especially regarding personally identifiable information, are becoming an increasingly important aspect of M&A due diligence.
Data breaches and data mishandling can be costly, and proper due diligence can help to avoid unwelcome surprises.
Broadly stated, data practices due diligence assesses, from both an operational and technical perspective, the data practices of the target, including what data the target collects and how, the uses the target makes of that data, and how the target protects that data. The target’s data practices must then be analyzed against its contractual and legal obligations to determine the sufficiency of its practices and to identify any areas of noncompliance.
Identifying data practices risks early in due diligence enables a buyer to consider mitigation strategies – including purchase price adjustments, deal-specific indemnities and escrows, or operational and technical changes to the target post-closing. Data practices due diligence helps to ensure that the value of an acquisition is not diminished by an unforeseen data practices failure or data breach.