Assessing the Target’s Data in the Context of a Transaction
For an increasing number of companies, data is at the heart of a transaction, and for nearly all businesses, regardless of
industry sector, it is essential to pay close attention to the privacy and cybersecurity risks associated with a given target.
Accordingly, an acquiring entity’s primary task is to conduct due diligence concerning the target entity. One element of
such diligence is to ask penetrating questions about the target’s privacy and data security practices. Relevant inquiries
might include the following:
• In which jurisdictions does the target operate?
• Is the company in material compliance with relevant privacy and data security laws in all the jurisdictions
in which it operates?
• What kinds of data processing activities does the target perform?
• Are any such processing activities high risk (e.g., systematic monitoring of the behavior of individuals)?
• Does the target process highly regulated data, such as financial data subject to the Gramm-Leach-Bliley
Act? Does the target process sensitive data, such as health or children’s data?
• For what purposes does the company use the personal information it collects?
• To what categories of third parties does the company disclose the information?
• Where and how does the company store the personal information it obtains?
• What security safeguards are used to protect the information?
Bloomberg Law ©2019 The Bureau of National Affairs, Inc. 5
• Does the company have dedicated employees who are responsible for data privacy and information
• Does the company engage in cross-border data transfers?
• Has the company received any complaints or significant correspondence, or been the subject of an
investigation or audit, regarding privacy or information security from or by relevant regulators, courts,
consumers, employees, or others?
• Has the company been accused of any violations of privacy or data security laws?
• Has the company suffered any cybersecurity events or information security breaches in which personal
information or other business confidential information has been compromised? Were those events
material or systematic?
Clique aqui e leia o artigo.