In an era of increased M&A transactions, organizations must understand the risks and potential liabilities associated with the personal information they obtain on their customers, vendors, and employees. Investors are increasingly engaging sophisticated data privacy counsel in the due diligence process. Organizations looking to form a strategic alliance, refinance their debt or secure their next round of seed funding will need to be able to respond to very specific questions about their data privacy program prior to the deal closing.

If you are responsible for data privacy in your organization, whether it be part of the legal function, or some other cross functional role, consider the following requests we have seen during the due diligence process and how you would respond to a potential investor.

• Provide an overview of the company’s privacy compliance program.
• Provide approved and actual privacy program budgets for the last three years.
• Provide details of the diligence that the organization carries out on third party service providers.
• Identify the extent to which the organization hosts customer data, whether on its cloud instance or on local servers.
• Describe the steps the organization has taken to ensure compliance with marketing laws such as CAN-SPAM and TCPA.
• Describe the steps taken by the organization following Brexit.
• Provide copies of internal data protection policies including employee privacy policy, retention and deletion polices, information security policy, incident response policy, procedure for responding to consumer complaints, and data protection impact assessments.
• Confirm whether the organization’s data processor agreements include the GDPR Article 28 contractual provisions and cross-border transfer mechanism.

Is your data inventory in a good enough shape to turn over to an investor for review? Do you have a procedure for responding to consumer complaints? Do you have a privacy budget and a plan for your privacy program?

If you anticipate M&A in your future, now is the time to ensure you have a budget to support privacy requirements. Whether starting from scratch or building on an existing privacy program, your budget should consider the volume and sensitivity of the data you process, the size of your company and the industry you are in, the maturity of your current privacy program, and any planned IT and privacy tool investments.

The larger and the more data-intensive a company is, the more likely it has a managed privacy program in place. In that case, you will have to plan for the running costs of the program as well as future changes, such as managing consumer complaints, operationalizing data retention policies, and performing due diligence on third-party vendors. Should you not have a formal privacy program, you will have to plan for one, including potentially hiring staff and investing in technology to support the program.

If your data privacy budget needs a lift, consider your M&A strategy and the criterion that your new investor may consider as part of your next equity event.