Data Privacy and Protection Series – How Data Privacy and Protection Are Reshaping the Nature of Mergers and Acquisitions

Part 2 of a 6-Part Series

Before, during, and after mergers and acquisitions (M&A), IT teams have an immense responsibility to create a stable, underlying infrastructure that brings together the data and processes of buyer and seller companies into a new business structure.

Unify the data and processes of buyer and seller

Sellers share a multitude of data, ranging from their customers and suppliers to their contracts, intellectual property, and product designs. Buyers understand the value of integrating this information into their knowledge base, applications, and processes. Yet together, they have little transparency in the long-term harm their legacy IT infrastructures present when they cannot accommodate the requirements of the newly merged business.

Ultimately, such limited visibility can drastically impact the long-term value of the M&A investment.  Policy concerns and regulations are growing more numerous and stringent year after year. Every new development in the realm of data privacy and protection raises the bar on the level of care companies must take to safeguard the access and use of personal and financial information.

Deepening data’s power with accountability and insight

The collection and use of data typically increase once an M&A initiative begins, which can complicate even the best relationships between buyers and sellers. Against a backdrop of recent data privacy and protection mandates such as the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), both parties must demonstrate unwavering accountability. Together, they should handle everything from securing data to ensuring individuals’ “right to be forgotten.”

Safeguarding the consolidated enterprise requires all operations to comply with regulations and maintain acceptable risk levels for data governance, privacy, and compliance. Organizations need to understand what personal data is processed, justify its use, and faithfully comply with consent requirements and a growing number of regulations and standards.

Tracking new data, finding data with unknown purposes, addressing data that is lost or accessed inappropriately, and flagging breaches should also be continuously executed in ways that all stakeholders can trust. As part of the due diligence process, the buyer can ensure compliance accountability and data governance by demanding the seller discloses where and how personal data is collected, processed, and managed. Additionally, records of processing activities (RoPA) must be maintained and delivered, which is a crucial mandate of GDPR and widely viewed as an implicit requirement for CCPA.

Protecting data intelligently to safeguard the enterprise

Such responsibilities may seem like a tall order when facing increasing volumes of data, but it is possible to deliver on them by obtaining five critical capabilities enabled by intelligent technology:

1. Automate data management and governance

Automatically triggering workflows based on flexible and configurable policy requirements helps initiate tasks that ensure data records are stored in the right system.

Suppose information is detected in the wrong database. In that case, an application using machine learning can flag that data and move it to the proper location based on predefined rules or by exception-based handling.

2. Scale privacy to existing needs and preferences

When rationalizing data use and collection, businesses need to know where consumer information is found, what data categories are gathered, and which lawful and valid purposes are being served. This exercise requires the capability to match relationships between various data, such as social security numbers, IP addresses, healthcare records.

Unfortunately, businesses cannot wait for their workforce to develop this skill, especially when facing the prospect of penalizing fines and sanctions when data from the acquired company is not managed adequately. But with data privacy and protection software that leverages machine learning, they can attain unmatched data intelligence to discover and manage personal and sensitive data across the entire IT ecosystem and take action to ensure compliance and security.

3. Ensure the legitimate use of all data

By creating data flows and maintaining live data, companies can assess the use of personal data across all business processes and functions. More importantly, this task must be accomplished according to assigned and predefined legal or business purposes.

Intelligent automation empowers users to search, monitor, analyze, and map personal data based on parameters including person, state, access, and data type. This step enables businesses to fulfill data access rights at scale, support consent governance, and monitor and report third-party data sharing.

4. Get ahead of data risk

Sophisticated tools can be leveraged to measure the criticality of personal data by factors such as data sensitivity, location, access, and associated consent. This approach allows businesses to customize multiple risk models and tailor them to the requirements of targeted customers and employees.

Machine learning embedded in the technology landscape can generate actionable recommendations for investigating and remediating gaps in data privacy and protection. The capability can also identify and tag files that require additional attention and action to prevent data loss proactively, monitor database activity continuously, and manage data access rights confidently.

5. Integrate data privacy and protection through the business

During acquisition integration, fulfilling data access rights at scale is critical when integrating databases, applications, and devices. Businesses should enable data-driven RoPA and consent governance and monitor and report on third-party data sharing. They must also apply policies and ongoing data discovery to continuously validate deletion requests against data processing activities and support proactive compliance.

Empowering a new era of data trust

Think about the original reason for acquiring or merging with another business. Most likely, it’s the desire to unite forces or build a larger and more profitable presence in a changing marketplace. Considering what’s at stake, mistakes at any point in the M&A process are too expensive – and at times, bordering on unrecoverable.

Every business involved in an M&A effort must pay attention to every aspect of data privacy and protection – from inventorying structured and unstructured information to data mapping, integration, and compliance. When executed well, the combined enterprise stands to benefit from a level of strength that can position it well financially, strategically, and legally. And most importantly, it becomes a brand that every customer can trust.

Want to know how SAP can help? Learn about SAP Solution Extensions from BigID.

Did you miss blog #1 in the Data Privacy and Protection series? Read about building trustworthy experiences with your customers’ personal data.