Introduction
With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in mergers and acquisitions (M&A). Understanding a target company’s data privacy practices is essential for legal compliance and assessing potential risks and costs. This blog post aims to guide you through the essential data privacy questions to ask when conducting due diligence for M&A transactions. Our focus is on what to look for and how to quantify the financial implications of data privacy issues. By the end of this post, you will understand why data privacy due diligence is a vital component of the M&A process and how it can safeguard investments and enhance value.
What is due diligence?
From a potential buyer’s perspective, due diligence is a thorough review to understand the value of a purchase. In an M&A context, this involves assessing various aspects of the target, including financial health, legal compliance, human resources, customer and vendor contracts, technology, and intellectual property—anything that might impact value. Risk impacts value significantly, so it is critical to identify compliance gaps.
This process usually involves considering the positive and negative impacts on value. As part of evaluating the negative impacts, it is important to identify what the target company has failed to do or what might have been done to them (such as in the case of a data breach). Conversely, positive impacts come from work already done, reducing the buyer’s need to invest further time, effort, and resources. For instance, a comprehensive privacy policy and a robust record of processing activities (RoPA) indicate a strong data privacy posture, adding value.
A seller’s compliance with applicable data privacy and security regulations can be pivotal and sometimes a deal breaker for certain M&A transactions, especially when the personal information collected by the seller is one of the main assets being acquired by a potential buyer.
The buyer and seller should be aware of data privacy and security considerations they may encounter during an M&A transaction.
The potential buyer should ask due diligence questions and seek information from the seller that is designed to:
- Identify what personal information is collected by the seller. The buyer should understand the extent to which the seller collects, stores, uses, discloses or otherwise processes personal information, including from whom the personal information is collected (including website and mobile app visitors, customers, employees and business representatives); the nature of the personal information being collected; and the countries where the collection, storage, disclosure or other processing of personal information occurs.
- Evaluate the seller’s privacy policies and other disclosures across all media platforms. The buyer should evaluate whether the seller’s privacy policies and related disclosures comply with applicable laws and best industry practices and adequately disclose how the seller collects, uses, stores and discloses personal information. Note that depending on the seller’s industry and the states/countries in which its business operates industry-specific and/or location-specific privacy and data security laws and regulations may apply to the seller’s business.
- Evaluate the existence of information security policies and procedures. In addition to reviewing privacy policies and disclosures, the buyer should review the seller’s information security policies and procedures to determine whether the seller has appropriate procedures to address its handling and use of the personal information collected. This may include a review of policies and procedures that address (i) data encryption, (ii) employee remote-working arrangements, (iii) access to and control of personal information, (iv) business recovery and continuity, (v) data breach and security incident response, and (vi) data retention. The buyer may also want to review the results of audits of the seller’s information security safeguards and procedures.
- Assess the seller’s steps to comply with applicable privacy laws. The buyer should review and ask the seller to provide information that allows the buyer to evaluate the steps the seller has taken to comply with the privacy laws applicable to its business. This includes requesting and reviewing the seller’s data maps, records of processing activities and any other data assessments prepared by or for the seller. Understanding the steps that the seller has taken to comply with the privacy laws applicable to its business, including the steps the seller has taken to operationalize applicable privacy requirements, will help the buyer assess any material data privacy and security risks posed by the seller’s business operations. In addition, the buyer can better identify any steps that it will need to take post-closing to either (i) close any gaps in the seller’s compliance with the privacy laws applicable to its business or (ii) help determine how to integrate the seller’s business operations into the buyer’s business processes.
- Understand the history of data breaches and security incidents. The buyer should be informed of any data breaches or security incidents, even if they did not rise to the level of a notifiable breach. To the extent the seller has had any data breaches and/or security incidents, the buyer should ask for information relating to how such data breach was handled, including any and all remedial actions taken after the breach and/or incident has been resolved. In addition, it is important for the buyer to ask the seller to identify any past, threatened or pending litigation, complaints, regulatory inquiries, administrative fines or penalties relating to any data breaches, security incidents or seller’s privacy practices, and to explain how these matters were addressed and/or resolved.
Mergers and acquisitions (M&A) can involve the transfer of large amounts of sensitive data, which can pose risks to both organizations and lead to regulatory non-compliance.
Data Protection in Mergers & Acquisitions under the DPDPA, 2023
The Digital Personal Data Protection Act, 2023 (DPDPA) introduces critical obligations that shape how personal data is handled during M&A transactions. While Section 17(1)(e) offers some exemptions for court-approved mergers and amalgamations, compliance with the Act remains crucial for other M&A scenarios involving data processing. This requires both buyers and sellers to align their data management practices with DPDPA provisions throughout the transaction lifecycle.
Exemptions and Compliance Scope
Section 17(e) of the DPDPA states that Chapters II and III, covering obligations of Data Fiduciaries and rights of Data Principals, do not apply to mergers, reconstructions, or transfers authorized by courts or competent authorities. However, if personal data is processed outside a court-approved structure, the full provisions of the Act apply. This includes obligations related to consent, transparency, purpose limitation, and data security.
In non-exempt cases, companies must implement comprehensive compliance measures across the entire M&A process. This involves identifying personal data flows, obtaining appropriate consents, managing privacy notices, and ensuring that privacy policies align with DPDPA standards.
Due Diligence and Pre-Acquisition Data Management
During due diligence, personal data related to employees, customers, vendors, and partners is often accessed to evaluate the target company’s operations. Section 6 of the DPDPA emphasizes the requirement for explicit consent from Data Principals (individuals whose data is processed). The seller, as the Data Fiduciary, must secure consent before sharing personal data with the buyer or any third parties. This applies to business transfers, such as slump sales, where customer and vendor data changes hands.
When obtaining consent is challenging, Data Sharing Agreements (DSAs) can be employed to define the terms for lawful data sharing between entities, ensuring compliance with the Act regardless of whether the data transfer occurs within India or internationally. Representations and warranties regarding the target’s compliance with data laws should also be secured during due diligence, along with indemnities for potential non-compliance uncovered during the process.
Data Handling and Compliance Post-Transaction
Upon completing the transaction, buyers expect to acquire all personal data tied to the acquired business. However, the transfer of personal data introduces compliance risks, particularly when it involves cross-border transfers. Section 16(2) of the DPDPA ensures that sector-specific data regulations—such as the Reserve Bank of India’s requirement to store payment data within India—remain enforceable.
Buyers must align post-transaction data management with the DPDPA by:
- Updating privacy notices to reflect the change in data controllers and notifying affected data subjects.
- Ensuring that personal data is processed only for the intended purpose and not shared with third parties without fresh consent.
- Executing Data Protection Agreements (DPAs) to outline data handling responsibilities and compliance measures between the buyer and seller, ensuring alignment with the DPDPA.
Conclusion
Data privacy compliance is essential in M&A transactions, especially under the Digital Personal Data Protection Act (DPDPA), 2023. While Section 17(1)(e) exempts certain court-approved mergers, all other transactions must adhere to the Act’s requirements, including consent management, transparency, and purpose limitation. Thorough due diligence is critical for identifying compliance gaps, evaluating the seller’s data privacy practices, and addressing any risks from data breaches or regulatory non-compliance. Data Sharing Agreements (DSAs) and Data Protection Agreements (DPAs) ensure clear terms for handling personal data throughout the transaction.
Buyers must update privacy notices, manage third-party processors, and adhere to local data storage mandates such as those from the Reserve Bank of India. Whether in asset or share sales, maintaining compliance safeguards investments and builds trust among stakeholders. Ultimately, aligning with the DPDPA ensures a smooth transaction, mitigates regulatory risks, and strengthens the value and integrity of both organizations post-merger.