How Data Privacy and the Right to be Forgotten Impact Mergers & Acquisitions

Introduction

Since the introduction of data privacy law such as GDPR (in Europe), CCPA (in California) and many other similar regulations in other legislations, public awareness about data privacy has soared.

As we live in a digital era, data privacy should be a quintessential human right. While we are not there yet, regulations are starting to stand on the side of the citizen. Let’s first recapitulate on data privacy before covering our main topic.

Data Privacy Primer

As we begin these blog post series with ComplyTrust® Inc., we would like to introduce a few concepts such as Personally Identifiable Information as well as the Right to be Forgotten.

Personally Identifiable Information

Every human generates data and is a data subject, at the very least from a vital records perspective. As we grow, more information such as bank account references, phone numbers, addresses and so on increases our “metadata” – we become more complete “records”.

When we purchase goods / services or perform everyday acts, we often need to give out essential information to complete the transaction or activity. And the more data we are willing (or forced) to give out, the more uniquely identifiable we become.

This data is stored somewhere, sometimes simply as a record track. Even if customer data is stored separately from transaction data, the ability to link a transaction to a person makes the transaction data become Personally Identifiable Information (PII) – it allows the organization to trace back to a unique individual.

Why Data Privacy is Important

There are many cases where PII is essential and required for tracking a record. Signing up for a mortgage or applying for new car registration are a couple of examples, legal proceedings are another. There are also a broad range of life situations where the law imposes data to be retained.

But for other situations, legislators have recognized a right to privacy. Laws such as GDPR and CCPA are the direct consequence of years of abuse from unscrupulous or blissfully ignorant customer targeting from organizations, for whom the collection and re-use of PII for commercial purposes was normal practice. Those practices degenerated in aggressive and focused targeting of consumers based on age, interests, personal opinions, race, location and many more criteria, even giving birth to questionable business models with dystopian characteristics.

Getting Back in Control: The Right to be Forgotten

Data privacy laws have empowered consumers with the right to take back their privacy with several tools. The Right to be Forgotten (RtbF) is one of these. At any time, a consumer (or subject) can reach out to an organization to check if it possesses any of their data. If they have such data and provided that the organization is not obliged by law to keep specific records, the consumer can exercise their right to be forgotten.

An organization receiving an RtbF request will have to identify and erase any personally identifiable information about the subject and inform the subject the data has been permanently erased. This has several implications because of data’s pervasiveness, but we will not address this here.

RtbF in the Context of Mergers and Acquisitions

Although a subject may have successfully exerted their RtbF against an organization holding their PII, some situations may arise when the subject may be again contacted by the said organization. In the simplest of cases, it might simply be because the subject re-used the services of that organization, which caused data to be provided and stored again.

Mergers & Acquisitions (M&A) can significantly complicate an organizations’ ability to maintain compliance with privacy regulations. One of the outcomes of M&A activities is the co-existence and eventual convergence of IT systems and systems of record such as customer / transaction databases.

M&A activities can last months or years, and the outcome may not always be successful. TECHunplugged has witnessed acquisitions where data migration and infrastructure consolidation activities took years to complete, ending with a re-sale of the purchased company only a few months later, after results were not up to the expectations.

From a privacy compliance perspective, the law does not care about your M&A activity. It expects the organization, no matter how transient its structure is, to uphold regulations and the consumers’ Right to be Forgotten. The approach and response to RtbF requests needs to be taken holistically, taking in consideration the entire organizational structure and systems.

But most importantly, organizations need to maintain compliance with previous requests. Imagine a customer, John Doe, who raised an RtbF request with Contoso Inc., a fictional company, and their request was performed. Contoso Inc. no longer has any PII about John Doe.

Months later, Contoso Inc. decides to acquire their competitor Tailspin Toys, another fictional company, with whom John Doe did business. John didn’t have an issue with Tailspin Toys and never cared about raising an RtbF request with Tailspin Toys.

Even if the data resides within Tailspin Toys systems while both organizations figure out how to consolidate, Contoso is now in charge. The outcome: the company is now in breach with privacy regulations, as they now hold data they were not supposed to be keeping anymore.

Through this example, we can see how M&As can directly impact the Right to be Forgotten. If we scale this RtbF request, the impact could be in the thousands to hundred of thousands of breaches.  Would a control happen during this timeframe, the company could face significant risk: financial (fines), reputational (loss of public trust) and potentially regulatory impact if the organization operates in a regulated vertical, keeping in mind that the more widespread breaches are, the more severe the impact is.

TECHunplugged’s Opinion

With this initial post, we briefly covered Personally Identifiable Information, Data Privacy as well as Right to be Forgotten concepts, to explain why these concepts matter, and what is at stake, to set the context.

For administrators and organizations, RtbF is a tricky topic. Removing records once is eventually achievable, provided we know where customer data is stored, and our systems allow for the data to be eradicated. The challenge is to ensure continuous compliance. Not only continuous compliance within the boundaries of our own systems and infrastructure, but also in the face of business decisions taken.

To comply with regulations, retain trust with their customer audience and mitigate regulatory, financial and reputation risk, organizations need to implement continuous compliance monitoring to ensure that RtbF related queries are not only addressed upon their receival, but that their enforcement remains consistent over time, regardless of structural changes within the organization, such as M&A activities.

ComplyTrust®, an innovative vendor that focuses on continuous data privacy compliance, have built Forget-Me-Yes® to address those challenges, and give organizations assurance that they are adhering to data privacy regulations.

Stay tuned in the coming weeks as TECHunplugged and ComplyTrust® continue to cover data privacy related matters as well as the Forget-Me-Yes® SaaS platform in more detail.

by Max Mortillaro