I am interested to gauge peoples opinions and experiences of this aspect of privacy programme management with regard to the Merger and Acquisition (M&A) processes when it comes to Data Protection due diligence.
My thoughts and experiences are that this is an immature area; it is not given enough thought or involvement at the moment by either side of the transactional equation in terms of pre preparedness , executional stage and post sale, as such, leads to painful downstream consequences.
Alexander Sturing
Hi!
Considering the average maturity of privacy management, I can only imagine that if it becomes a part of the due diligence, the process will take much longer than anticipated.
However, I do believe it should be on the agenda since it can impose a large financial/reputational risk. Perhaps there are “templates” to support an assessment during the M&A process?
Chris Roberts
Hi Alexander, The M&A process may not necessarily take longer. If an organisation has embedded good data protection and cyber-security practice in their business and appropriately documented it, then the review may not have have to be long and drawn out, in fact it can be relatively swift.
There are services, tools and systems out there that help the “data” and “cyber-security” due diligence part of an M&A activity proceed smoothly.
Hope my thoughts help?