This second post in the series is focused on an area that our team, and my work, is heavily involved in: the data and privacy issues associated with M&A, and the regulatory clearance processes that are increasingly associated with getting the deal through.
Data issues have become intrinsically linked to company risk and value. As such, data is now impacting the M&A decision-making process, antitrust compliance and the documents considered in merger clearance investigations.
Exploring the work that we do in the logical order of M&A, the first area is the need for acquiring or merging entities to consider the data implications during the early stages of a potential deal. This includes conducting privacy, security and technical risk assessments during due diligence, and adjusting valuation or other deal variables when red flags are uncovered. This must go beyond the framework of a standard risk assessment to evaluate the business purposes for the transaction, what long-term regulatory issues are likely to emerge from the data involved and how the two organisations will integrate governance policies and practices after closing.
Competition authorities are also paying increasing attention to whether a company’s acquired access to personal data distorts the ability for others to compete in the market. My colleague Sonia Cheng recently wrote that cases have arisen in which competition authorities are scrutinising failures to comply with data protection laws as a way to examine competition abuses, such as industry leaders leveraging customer data in ways not compliant with GDPR to influence market power and competitive advantage.
Merger clearance reviews that are now occurring with increasing frequency across the U.K. and Europe are another key area. Competition authorities are now heavily focused on the review of internal documents as part of that process. They’re very interested in what a company is saying behind closed doors in relation to a pending transaction, as well as the company’s own views on market share and the competitive landscape.
These internal document requests often require organisations to disclose hundreds of thousands, or in some cases millions, of internal documents to authorities. The scope is no longer limited to the traditional sources of the past, such as e-mails, but has expanded to include collaboration platforms, instant messaging and text messages, as they provide rich insight into how employees are talking about a pending deal.
We continue to see regulators struggling to come to grips with the data landscape in large corporations, and the complexity and impact of the data requests they are making. In most cases, they are asking organisations to respond in weeks for discovery exercises that would typically require months, and we’re increasingly being brought into the negotiations to highlight the technical reality of what can actually be achieved.
Without a highly mature IT and data governance structure, a sweeping internal document request can be incredibly challenging within the tight timetables that are expected. In addition to establishing governance measures that mitigate data volumes and increase control over the organisation’s data universe, AI and other advanced analytics techniques can be leveraged to shorten response times. With analytics, teams can prioritise review of the most responsive documents and ensure delivery of relevant information within the timeframe required. My colleague Ashley Brickles recently led an in-depth webinar discussing the procedural aspects of complying with merger clearance investigations, and how they’re evolving with the increasing complexity of the corporate data landscape.
The key to dealing with these rapidly emerging issues is to be prepared. The more work that can be done in advance of the deal being scrutinised, the less burdensome the overall investigative process will become. In the preparatory phases, and in the throes of working through the varied data challenges associated with the deal, corporations need to partner with counsel and experts who have experience with high-stakes merger clearance investigations and compliance obligations arising under various data privacy regimes.
Finally, the remedies that are being required by the competition authorities to enable a deal to go ahead increasingly have data-driven components: be it in the solution to the divestiture of part of the corporation (such as, how is the data and the corporate IP going to be separated between two entities?), or the implementation of a data-driven remedy (e.g., ringfencing of data or governance frameworks to ensure aspects of customer data aren’t combined between two entities).
In the next post, I’ll discuss data privacy and broader IG issues corporations need to watch in the coming year.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.