With the emergence of new regulatory frameworks like GDPR and the California Consumer Privacy Act, a greater understanding and protection of the oil running the engine has become top priority for companies of all sizes and industries.
Just as financial information and cyber risk realities have long required organizations to employ accountants and cybersecurity professionals to conduct frequent audits and implement proactive monitoring, data privacy now requires a unique level of organizational data diligence, in addition to the appointment of personnel such as data protection officers (DPOs) to serve as advocates for the plethora of consumer and employee data companies collect, store and manage.
- Data privacy: will it be as in vogue as it was in 2018?
- Regulation and compliance: staying secure in the face of increasing threats to privacy
- Data Privacy is having its day
Regulations are hindering M&A and investment momentum
While responsible handling of consumer and employee information and greater overall understanding of organizational assets, which in turn, can be used to enhance business processes, represent the positive effects of enhanced privacy regulation, a concerning trend is the impact frameworks like GDPR are having on M&A activity. Recent research shows over half (55 percent) of M&A professionals have had deals fall through due to concerns over GDPR and target firms’ data practices, and 66 percent of those M&A professionals believe GDPR will increase acquirers’ scrutiny of data protection policies and processes of target firms.
Examples abound for how a lack of data privacy due diligence can lead to disastrous M&As, not to mention steep fines and public fallout. Starwood’s compromised database and ensuing acquisition by Marriott, for instance, demonstrates how even the world’s largest hotel chain isn’t immune to the dire consequences of poor data diligence and less-than-comprehensive understanding of assets being acquired. There was also Verizon and its discovery of a prior data breach at Yahoo! after having agreed to acquire the company, which led to a $350 million reduction in the purchase price, a $35 million penalty to settle securities fraud charges and another $80 million to settle securities lawsuits brought on by disgruntled shareholders.
In addition to M&A activity, investment momentum for startups also appears to be suffering as a result of new data regulations. Since the introduction of GDPR, European tech startups have seen a 17.6 percent reduction in weekly venture deals, and the amount raised in an average deal has dropped by 39.6 percent. Even more concerning, this pattern isn’t likely to right itself anytime soon, considering GDPR-style regulations are being adopted in more and more countries like India and Brazil.
Abide by the 4 "Ps" to ensure data privacy best practices
Before acquirers, investors and startups alike let their data privacy fears completely overcome them, however, it’s important to recognize the benefits a heightened data privacy landscape can provide.
By adhering to relevant data privacy best practices, for instance, companies have an opportunity to elevate their competitive profile and significantly streamline the due diligence process for potential acquirers and/or investors.
More specifically, given today’s ever-evolving data privacy realities, companies should abide by the four “Ps” rule to show suitors that their company is a safe bet:
- Policy: It’s imperative that companies continually design and refine all privacy policies, notifications and website verbiage to ensure they’re communicating data privacy information effectively to their community. Make sure information is always clear, consistent and easily communicable.
- People: In addition to employing data privacy professionals such as DPOs, companies need to prioritize data privacy training for their employees. Just as cybersecurity policies and training programs are enforced, good data privacy hygiene must be instilled throughout organizations and the consequences of failing to adhere to data privacy best practices should be made abundantly clear.
- Process: Just as companies conduct audits for financial purposes or code reviews for engineering efforts, implementing clear processes for the handling of customer and employee data is critical. Practice discipline and rigor here, as companies need to know for certain if anyone in the organization is capturing data without a clear purpose of use and/or if they’re sharing data beyond permitted boundaries.
- Product: Lastly but perhaps most importantly, companies need to leverage products to automate key components of data privacy and demonstrate compliance to regulators. For instance, privacy impact assessments (which determine whether the data being collected complies with relevant regulatory and compliance requirements), data subject reports (which determine the type and amount of data being housed per individual), records of processing activity (which determine how data is being used), and consent reports (which determine what consents have been granted from data subjects) can all be automated to ensure continual data privacy compliance.
Federal control over data privacy will transform due diligence processes
Looking ahead, it seems increasingly likely that Federal data privacy regulations here in the U.S. will fundamentally transform the global M&A and investing industries. State-level legislation with teeth in the form of CCPA has already been passed and numerous Federal bills have been introduced in just the past year, including the Data Care Act, with conversations on Capitol Hill accelerating at a rampant pace in how exactly to form and enforce comprehensive Federal legislation.
On both sides of the fence, few can argue that one national data privacy ruling is less desirable than attempting to adhere to 50 different state-based regulations. In fact, many tech companies have expressed outright support for federal control over data privacy, and with U.S.-based venture capitalists continuing to dominate global deal volume, they’re poised to lead the rest of the investment world toward an entirely new way of practicing due diligence, in which data privacy compliance is prioritized above all else.
To prepare for these future realities and to use them to attract M&A and investment activity opposed to deflect, companies need to remember the four “Ps” rule, paying particular attention to any unique risk factors specific to their organization. In doing so, companies can remain competitive among acquirers, investors and consumers, and at the same time, actively defend against the bite of data privacy regulation, which as Google will tell you, is no longer simply bark.
Dimitri Sirota, CEO of BigID (opens in new tab)
- We've also highlighted the best antivirus to help protect your business from the latest cyber threats