Privacy in M&A: Getting Acquisition-Ready

If you can't provide solid answers on those questions, even if the answers might not be always favorable, if you can't provide certainty, then the buyer doesn't know how to price what they're getting. So that's really the biggest thing. A lack of transparency or insufficient knowledge to be able to provide transparency and trust. Welcome to Privacy in Practice, the podcast where we bring you the latest insights, practical solutions and real world stories from the world of data protection and privacy. I'm Kelly Dupre. And I'm Don Armani Strachan. Privacy in Practice is brought to you by verisafe, your trusted partner in privacy and data protection. In this podcast we dig into the challenges and opportunities in privacy compliance, from navigating complex regulations to building a sustainable privacy program that works for your business, not against it. So let's jump in and get practical with privacy. Today we are excited to dive into privacy considerations in M and A, especially from the perspective of startups preparing for acquisition and what acquirers really look for when evaluating privacy programs. Welcome Gabe, thank you so much for joining us on the podcast. Thanks for having me. Great to be here. So today we're talking about privacy and M and A. So M and A mergers and acquisitions. For some of our listeners that might think that they've now ended up with the wrong podcast. Why? Why are we talking about privacy and M and A? And maybe to explain that if you can tell us your story. How did you end up previously advising generally on corporate transactions and the like, and now you're in data privacy within the context of M and A. How did that happen? Well, so I started the reverse actually. I started my career at the IAPP doing a privacy fellowship and have been practicing in this space for a long time. When I moved over to Goodwin about four and a half years ago, I came to a firm that has a really robust startup practice. We advise a lot of fast growth companies that are looking for their exit, looking for an investment, and we advise them on the whole life cycle and that means helping them approach the market. So we help them do the compliance work and then we also help them if fortunately they sell or receive another investment round, we help them navigate that. We also have clients that are on the larger side and are trying to grow through acquisitions. So we advise on the other side of the market too. So I came to it from privacy, but it's part of providing a whole sort of lifecycle service to our clients. Gabe, you and I first met on one such situation with sort of a mutual client going through this process. And we were just talking a little bit earlier, you and I, about how sometimes this kind of activity is a primary driver in a company's decision to focus on privacy and can be a very important lens through which to see their understandably significant cost and effort spend on a compliance activity like privacy. And I guess that's the first point we want to make is, you know, if you are a startup or you are any of the types of formation or situations you just named Gabe, if you're a company in that situation, privacy might not be the first thing you're thinking about. You might think about, you know, growth or, you know, more subscribers or whatever it is, but privacy should be a part of it for the reasons that we're going to talk about. And that's a theme I hope we'll. We'll pull out over the course of today. So let's start there. Gabe, why should founders be kind of thinking about privacy? Yeah, well, I think what you said is exactly right. If you're just starting a company, the most important thing is, will this company survive and thrive? And that comes before sort of regulatory risks, risks of investigations and claims. Those are things you manage and hopefully address as you mature. And the way I see it, investment rounds and acquisitions are forcing factors for that maturity because these are the moments when companies are leveling up. And in order to proceed to the next level, you need to show that you deserve to be there. And that means not only that you have a great product, but that you're starting to do the right things that a mature company is expected to do, and as you grow, eventually will be held to a higher standard. So we have so many of our clients expand and they acquire other companies, and we often get involved because then the question is, so what is the target company's privacy posture looking like? And then often we, I'm afraid, also see situations where the deal can't go ahead because something is not right when it comes to privacy at the target. In your experience, though, what are the biggest privacy deal breakers in transactions? Yeah, well, it sounds like you've had similar experience in this space, and if you're involved, then hopefully this isn't the primary deal breaker. But what we see is often a big issue is where the target company doesn't have a handle on what's happening and therefore can't provide enough certainty on the questions that are being asked in critical areas for the company. It is important to sort of understand what industry you're in. What really are the critical vulnerabilities that an Acquirer will focus on. And if you can't provide solid answers on those questions, even if the answers might not be always favorable, if you can't provide certainty, then the buyer doesn't know how to price what they're getting. So that's really the biggest thing. A lack of transparency or insufficient knowledge to be able to provide transparency and trust. You said this when we were talking earlier, Gaiman. I really liked this, that part of your job is to help the team speak clearly and correctly about their product, but also I suppose, inherent in that data governance or consent collection or AI training modules, et cetera. Can you speak a little bit more about that? Because I loved what you said about that, that this is almost as much teaching people how to talk about a thing as it is the compliance. Yeah, Well, I think all of us here are privacy nerds and exist in an ecosystem where we have a jargon and are familiar with it. And what I've noticed is that these transactions are one of those moments where that weird little world we're in intersects with the rest of the world. And if you can't sort of bridge that language divide, it can be really hard to generate that trust that allows the transaction to go forward. And I see it in both directions. If you don't have sufficient understanding of what are the critical issues, then on the acquirer side, you can spend all sorts of time chasing down every rabbit hole. Data flows in a lot of places. You're never going to have a perfect picture of where everything goes and what it does. But can you sort of isolate what are the really important questions and target those that can help speed the transaction along? And then on the sell side, you're thinking about how you present yourself to the buyer and you're talking to two audiences. One is the company CEO and board of directors, who are sort of looking at this as a whole. And privacy is a small piece, so you need to help them understand where you fit there. But often they've engaged specialist advisors who are in our world and do speak our language and will drill down on those questions in the areas that matter. So you do need to be able to talk to them and have enough familiarity with the concepts that you can make them feel comfortable that essentially you know what your gaps are, you know what you've addressed, and you can provide confident answers about where you stand. I'm glad you've raised that, because communication is key when it comes to privacy, because it is unfortunately a bit of a niche field and there's a lot of jargon and There are lots of misconceptions as well. And I think, as you've mentioned, that's why it's so important to get the right experts involved from the beginning. I've seen it too many times where the transactions already put together and you're already a very long way down the road. And then people start asking about privacy. And sometimes you then even have to go back to the drawing board, depending on what kind of business or company you're talking about. So it's so important to involve us as privacy lawyers from the beginning if there's a transaction to say, okay, well, you better look at this. So if we are acting for the seller to look at the house and see is it an order? What are we going to explain to the purchaser? Where are the gaps that we need to plug now? Because when there are privacy people get involved, they're going to immediately ask about this or point at that, and then we might be in a difficult spot. So it's better to get that sorted out sooner than later. And I think one of the key areas to focus on here is the due diligence phase, because as a seller, you have to get things ready for the purchaser to look into. And obviously the purchaser is interested in a lot of stuff. So when it comes to due diligence and then ultimately when you're looking at the contracts, what do you disclose? What do you make available? How far do you go? Obviously, depending on if you're acting for the seller or not, you don't want to over disclose and sort of create ghosts where there aren't issues. But how would you approach that? How would you advise an organization when it comes to disclosure in the due diligence phase, but also what you put in the contract? Yeah, I'll come back to the question about disclosure, but I just want to amplify the point about getting started early. I think that's really right. I liked your house analogy. If you're selling a house, yes, you can slap on a bit of paint right before you put it on the market, and that probably will sort of grease the deal at the margins. And we as advisors obviously have to meet our clients where they are and help them get through no matter what stage they're at. But if you really want to increase the value of the house, you probably need to start on those renovations earlier so that you're taking steps that really show that it should be in a different market than the one it's currently valued in. So I think that's exactly right. You do Want to start too early. Now, of course, founders have all sorts of priorities and you need to right size where privacy fits. And that's going to be different depending on the industry the company's in, what type of data it's collecting, and its maturity, the maturity of its customers. So there are lots of contextual factors that affect that. And I think you'd probably also recognize this too, that starting early doesn't mean it has to be a huge project. There are a lot of sort of lighter things you can do that, if you do them early, really help, like updating a privacy policy in a way that clearly describes the business and doesn't have a timestamp. The day before the company went on the market can sort of really quickly show a lot more maturity. Can you actually just quickly, Gabe, talk through the steps? Let's assume people listening might not have gone through this process yet. Can you just quickly talk through the steps of kind of how this unfolds from the moment the founder wakes up and says, yes, I'm going to sell this company to, you know, when they're celebrating on the beach? Yeah, sure. So there can be different processes for how it goes on the market, whether you accept competitive bids or whether a potential acquirer comes to you directly with an offer. But then the first sort of transaction document that's negotiated as the letter of intent, which will set out the basic terms of the deal and often will include parameters around what level of privacy maturity, among other compliance matters that will be expected if there's an agreement to move forward at that stage, and there might be some limited diligence that happens at that stage too, to inform that letter of intent if it proceeds beyond that stage. The next step is the negotiation of the actual transaction document, which will have privacy, security and increasingly AI reps in it. And those reps are simultaneously informing the due diligence process. So the acquirer will ask the seller to provide information about the company, to provide documents, and to make disclosures against the reps if there are any issues where the company feels it can't comply. And an example of a rep might be something like, you've never gotten in trouble for privacy before would be better worded than that. But that might be a takeaway. Can you give us an example or two of what kind of reps you might see? Yeah, absolutely. That's exactly right. So almost every transaction that has sort of data as an element will have at least a rep that you've complied with privacy laws, at least a rep about security incidents, at least A rep about claims or investigations. And then beyond that, the reps may vary depending on the nature of the deal. So if you're buying a company that has a lot of kids data, you might want reps around that. If you're buying a company like the one we worked on together, that's in the B2B space, there may be reps around customer contracts and how you've handled sort of enterprise data. And also like that deal, if AI is a significant component, we're seeing growing lists of AI reps that are really all over the place at the moment. Yeah, it's interesting to see and it's interesting you gave me really good advice in that process because it's very easy to get wrapped up in the little bits of the language in that. And I remember you saying the hat that you wear, you have to think about the hat that you're wearing as a lawyer in those. I mean, I promise, Donnie, I'm building to your really good question. You have to think about the hat that you're wearing and the perspective that you're bringing to all these conversations. And you know, what's your job as a, as a privacy lawyer, you know, in this situation and you know, your job as the outside counsel, Gabe, versus our job as the in house DPO might be very different in this process. And I think that can maybe. Okay, now let's talk about what you say, when, how and what. But that. That can also inform that answer. Yes, exactly. So at root, there are really two drivers here. There's a legal obligation and then there's also the sort of business lens to this. You are joining two companies or engaging in a process where you'll have an investment and some ongoing relationship. So there's an equally important component around how you manage that relationship so that it's productive going forward. On the legal side, there's not a whole lot of nuance to what you're trying to do. One side wants the reps to be as protective as possible, keeping in mind what sort of industry standard and reasonable to ask in that context. And the other side wants those reps to be on the lighter end so that we're not forcing disclosures and we're not extending a due diligence process that might reveal things that over time could compromise the transaction. And then what you have to disclose really depends on where you end up on those reps. So there's the legal point, first of, do you have to disclose under the contract, are you making a rep that you can't stand behind and if you are, then you absolutely need an exception and a disclosure so that you're not, you know, at worst committing fraud or breaching the wraps. So the legal drives the mandatory minimum for disclosure. But then companies often think about disclosing beyond what the reps require because it might just be prudent in terms of your long term relationship or in terms of avoiding surprises to share everything. And that is sort of a separate strategic question which is informed by the legal analysis but sits within the broader relationship between the companies. It also depends on the type of company you're involved in and the relevant industry. If it's a multinational business or a regional business, you have to be very careful and circumspect because your purchaser might want to ask all sorts of complicated questions and you might not have answers for those unless you're prepared. So you have to have your house in order and be ready to answer awkward and difficult questions. Because I'm just thinking, for example, in some African countries you have to be registered in order to process personal data. And some African countries, again, you need prior authorization to do processing. So the purchaser will probably appoint someone who has knowledge about those laws and they'll start asking those questions. And then it will look rather bad if you don't even know that you were supposed to be registered or that you didn't get prior authorization. So it just shows how important it is to make sure that you have a mature privacy compliance program, because one day your angel investor might arrive or you might want to sell. And then if at that stage your privacy program isn't looking good, you might not be able to rake in all those dollars that you otherwise might have been entitled to. Yeah, totally. And it also reflects how you disclose matters as much as whether you disclose. So putting the appropriate context around it so that the other side can understand and quickly evaluate where it fits on their risk continuum is important. We've seen examples where companies are trying to be proactive and disclose things that really aren't an issue. And you would think that from the buyer's side, oh, that's great. Now we have more information, more disclosure, that's better. But as you get inundated with this information, it just raises more questions. And especially if the seller is disclosing things that aren't actually material or aren't responsive to the reps, then you start to wonder, well, what's really going on here? Why are they doing this? Is there something behind this that we need to be looking deeper at? And often the answer is no. It might Just be the way they communicated it. I think that's really a nice and. And also complicated point. And maybe we could dig into it a little bit with security incidents, because that's a rep that I think probably comes up in every deal. And then there's this question of what do you disclose? And I think every company has had something whether it's a true data breach that's reportable and has financial implications, or whether it's a, oh, we shouldn't have done that, but no one saw it, or it just was a bad email to the wrong customer, whatever. And I think maybe could you speak to that one a little bit, Gabe? Like what? How do you decide what wobbles in the security space you should be disclosing in the context of a representation about security incidents? Yeah, this is really tricky. In fact, specific, you want to sort of understand exactly what happened. And often more important than what was the breach itself and what was the scale of it. That, of course, is important. If this is a really big breach, if it's really sensitive data, that's a bigger deal than if it's an unsuccessful phishing attempt. But more important than that is understanding how the company responded and addressed it. Because at the end of the day, what we're trying to do through this process is make sure we're appropriately allocating and assessing the value and risks associated with the company. And so if you have confidence that the company did a proper investigation, uncovered the facts, hired specialized advisors to really get to the bottom of it, and took ownership of the incident, did the notifications that were required, a really big incident can be a much less big deal. Yes, there are still risks. Yes, there may be complications on the back end, but at least at that point we know that the facts are solid and you can work from there as a starting point. I love that answer. That's good. Comforting also, in a way. Well, I mean, everybody gets hit with a security incident, so in a sense, you can't control it. And the law doesn't require perfection. What it requires is that you're, you know, trying to doing what's reasonable to avoid it and taking appropriate responsibility to try to avoid harms to individuals. I'm glad you guys have raised security incidents because I was actually chatting to a client about a potential acquisition the other day, and in that case there are a number of potential acquirers and they all want to now dig in and, and go and have a look at the company and its records and its data. And you have to be very careful there to make sure. That you are actually disclosing the right stuff, but not unnecessarily disclosing people's personal data without your privacy, not discovering it or having some other kind of form of authorization because you don't want to end up creating an authorized disclosure or even a breach because you're so keen on being acquired. Yes, that's a good point too. One last question on the reps point. You alluded to this earlier, Gabe, but the AI reps seem to be a bit of a wild west. Can you talk about a little bit of what you've been seeing there and range of what people should kind of expect? Yeah, well, the range is quite vast. At one end of the spectrum there might be nothing. A lot of deals still don't have AI reps and often that's appropriate. And then in the middle you see reps around compliance with these emerging AI laws, reps around use of sensitive or confidential information for training third party models. That's a big one that we see a lot at the really high end of the spectrum. And Kelly, you and I experience this together. You see reps around policies and procedures designed to address error, bias, discrimination. You see reps around the provenance of all the data used to train and fine tune these models. So there really can be quite a broad range. I think one area that surprised me in our situation and also that I think is timely for many of the clients Dani and I are working with now is the vendor stuff. So the idea that, I mean you could potentially be asked which vendors you are using are using AI with your data. So not just you're not, it's not that you're building an AI system or you're training an AI model, it's hey, how many of your marketing team have downloaded ChatGPT or this or that or whatever on their phones and are using it? You know, like it's the full range potentially, arguably depending on how it's written of AI use across the whole company and then also exactly what policies are in place, how do you follow it? And I think there's a lot of companies that this is on their wish list to understand this and to build policies around AI use and to actually grasp exactly who's using AI where in the company, but it's on a wish list, it's not necessarily done. And I think that's an interesting one to pull out and note could come up in a process like this. Yeah, definitely. I should not be trying to predict the future, but my hope is that some of this will fall away. We used to see some of that in privacy too, too. Remember when GDPR first came out, all of a sudden there was a lot of focus on the supply chain issue. Where is data going? And so we started seeing very heavy reps, really trying to force disclosure of all companies in the data chain. And I think over time we've gotten a lot more comfortable with the idea that there are processors and sub processors. And that doesn't mean the reps have fallen away completely. We do still see reps around ensuring that you have the right contracts in place down your supply chain. But we've stopped seeing reps that force disclosure of every vendor that touches personal data because it's just impossible. And to what end? And I think AI is kind of moving in the same direction. It's moving into every product and Service. You know, ChatGPT is being used like Google. It's not really reasonable to police every single AI prompt or query, let alone every vendor that has embedded AI. But it probably will be reasonable as market practice evolves to ask that you have adopted appropriate standards in reviewing the way AI is used by these vendors, and that you have an appropriate program and contracts to ensure that there aren't sort of AI related risks as a result of using these vendors. So when it comes to getting your organization to potentially be acquisition ready, how much should an organization spend on privacy compliance to get their house in order? So if you're talking about the renovations, how much should you spend on this house in order to get it sold and to get it sold for a good price? How do you find the right balance between being lean but also being ready for that dream acquisition? Yeah, it's impossible to put a number on it, but to the extent you can, it is about the industry you're in and what the market expectations are of a company of your size and maturity doing what you do. And that's going to vary considerably if you're sort of making machinery. I don't think people are going to be that focused on your data practices and you can probably get away with less even though you might have personal data. But if you're in a highly regulated industry where there are a lot of sophisticated actors and you're playing in that space, you're selling to sophisticated customers, there's going to be a lot more expectation that you've done the homework. Because it's not just about sort of avoiding monsters in the closet in terms of potential gaps that existed, but also being able to grow and excel in that market space is going to require a maturity that's commensurate with what your customers will expect. I'm going to get on a soapbox for a quick second and say, as you guys were both saying earlier about the earlier the better. And I think people sometimes forget that privacy is really about data governance. I mean, it's about many other things too. It's about human rights and et cetera, but it's also about data governance. And so for many companies investing early in understanding your data, where you have it, who's processing it, like what vendors you're using, and just, just record keeping around it is actually going to put you in incredibly good, steady from a privacy compliance perspective. But it's also going to put you in incredibly good stead in many cases industries from like a build perspective, understanding what's possible and where information is and making everything efficient. And I know often in these contexts you're just trying to build the thing as fast as possible and you're just trying, you're sort of optimizing. You have to pick what you optimize for. And often you're optimizing for like a shippable product, you know, and that shippable product. You may not have time to have really good record keeping about sort of what pieces went into it and what underlies it. But later it's going to be important to know what's in it. A simple example might be like, what soft, like, did you use open source code or software development kits? Now, like, that's kind of in the weeds. But like those sorts of things have privacy implications. They also have data governance implications. Like, it's just good to know in case there's a patch or something goes wrong or it turns out that it was a bad thing to use or someone didn't check it properly. So I, I want to just make the pitch that privacy by design could be as simple as good record keeping. And I think that's a really good first step is good record keeping. And then to your point, Gabe, about the privacy notice, I said I was going to come back to that. It's hard to write a good privacy notice without understanding good data record keeping. And I think that one thing we're seeing more and more is in some of these lawsuits from the ftc, especially a little while ago, and then now with like the California AG stuff like the Disney settlement, they talk about privacy notices being deceptive or misleading or false even. And I think that that's a risk that you want to be really careful of, careful to avoid or not stumble into by virtue of sort of guessing at what data you have. So anyway, that is my soapbox. I am done. Keep good records. Well, I completely agree. The one thing I would sort of gently push back on is that these companies are managing lots of different priorities. And we have seen examples where data mapping can go on forever to no end, but it is at the same time a sort of critical component. I think the way you can manage both of those imperatives is to first really focus on what are the critical areas for that business. So maybe start with a more limited scope. If there are certain processing activities, certain types of data you hold that are more sensitive, start there rather than trying to do everything at once. And then the other thing I would say exactly to your point, Kelly, is that use public facing documents to drive this process. So you have your privacy policy. Using that as a driver can help motivate the business to get to the bottom of what they're looking for and get you better results there. Similarly, if you're in the B2B context, using it to inform your DPA, your data processing agreement, so that customers understand what your business does, that you're better able to understand your customers diligence questionnaires and help them get comfortable buying your product, those can be motivating for the business and can help sort of move this from being a quagmire to something that actually gets a business advantage or helps you get through a transaction. Kelly, I actually want to ask you a question. We obviously help many organizations to build privacy programs and get them to mature spaces. If I have to use the home selling analogy again, if you were the inspector helping the purchaser to look for obvious, or maybe not so obvious issues in this dream home that they're keen on buying, what are sort of the key things that you would look out for? What carpet would you pick up to see what's under it? Or what would you look at the wall? This is maybe tmi, but we just had a rat issue, so I would definitely look for rats. I'm just kidding. Well, there are rats in some privacy programs, right? I suppose. So what's the equivalent here? I actually feel like Gabe might be better equipped to answer this just because you've seen more from the perspective of kind of what goes wrong. But my initial instinct is actually going to steal from something you said earlier, Gabe, which is the level of calm and the level of ability to answer questions, which is not actually an answer. Right. From the perspective of like a privacy investment. But it's. Have you thought about this? Have you considered this have you started on this? Has this been a priority? And I would imagine that that tone tells you quite a lot. Yeah, I don't know Gabe, I'm sure you have a much better, more specific answer. No, I agree with that. I think it's hard to answer in the abstract. If you gave us, you know, some scenarios, I'm sure we could tell you like for that company this would be the priority. For this one it might be something else. But if you wanted to level up and get at that comm that Kelly is suggesting, I would say maybe the place to invest is people. Not every company needs a DPO or Chief Privacy Officer. But it is really useful to have someone who owns this issue and can drive it forward, can be responsible for making sure that the program meets its milestones and can be communicated to executives and customers in the right way. So investing in people who are really invested in VIS is I think probably the single most lucrative investment you can make in privacy. I think it's also important to get the, depending on the industry because as you said, it depends on the context but to, to get the basics also right. So if it is a multinational company and they're cross border data transfers, how do you make them happen? What are you relying on? If you're the seller and your organization is established in the United States, are you certified to the data privacy framework, for example, to make it easier to get data to you? Because I guess for many organizations that is key, making sure that data can keep on flowing. And if you are in a space where you process sensitive or special category data, do you have your data privacy or data protection impact assessments in place? Especially if you're in life sciences for example, and you have health info or children's information or political information or religious information. And that's why Kelly mentioned data mapping. It's so important to. You need to know what data you're dealing with because the purchaser will probably start asking you those questions. So what kind of data are you processing it? Why are you using it? With whom are you sharing it? I guess all those basic questions you need to be able to answer if there's going to be that meeting and they start firing these questions at you, your team needs to be prepared. And I suppose those are also the key things that you have to have in place just generally if you have a, if you want to have a strong and mature privacy program. I was thinking about your very good point about like Gabe, about record keeping and data mapping and prioritization and spend and effort and time and all those good things. And I was thinking, well, you know, it's okay. It's probably good if you just started with like, okay, these are the systems we're using. This is a list of vendors. Like vendors have this data, you know, like sort of starting simply. But then I was thinking, in answer to your question, Donnie, another thing that I see occasionally is that should be a row in your data map the legal basis for the data that you have. And I imagine that does trip up deals occasionally. If you needed to get consent and you didn't, or if you needed to disclose a legitimate interest in a privacy notice and you didn't. Have you seen that, Gabe, where data has become less valuable because the, the acquiree, what do we call them, the company getting acquired couldn't sort of show that they had all the right stuff, whether that's consent or I suppose, IP or something around the data itself. Yeah. So I don't have an example that was focused on GDPR legal basis, but I do have one in the US where exactly the issue you're mentioning ultimately scuttled the dealership. Our client was looking to acquire a company that did sort of. It bought data about consumers and sold sensitive inferences about them to its customers. So acting as a data broker for inferences that were sensitive and didn't have a good. This was around the time the FTC was starting to go after data brokers for selling sensitive data without consent. It was also as we were seeing state laws coming online that required opt in consent for sensitive data and specifically addressed inferences. And there was a federal proposal that would have done the same. And this company had not really thought hard about this question. It seemed, and ultimately couldn't get the buyer comfortable that they had built a sustainable business model that would work in the emerging regulatory environment. I know, Gabe, you've seen a whole bunch of different deals with a whole bunch of different buyers. And you know the market right now. You might be bought by a company. You might also be bought by some kind of investment vehicle like private equity or something. Do you see a difference in kind of what those different types of buyers are looking for in terms of sort of privacy, status, compliance, all those sorts of things? I don't think there's a major difference, but there are nuances. So often when it's a tech company buying another company, they're looking to integrate that business into their own service offering. And so you end up with this extra layer of questions which are not around. Has the company complied? Has it done all the right stuff? But has it done it in a way that will unlock the value that we think we're going to get from this transaction? And so I think that is a sort of shift in mindset and requires a lot more sort of coordination around the goals of the transaction, which you see a little bit less in the private equity space. I think maybe one example that I've seen is to that exact point. They almost don't want the target to have policies because they're going to get on our policies anyway. That matters less. But if they don't have a good data map, maybe that matters more. Whereas for the private equity firm, maybe, maybe they actually want some of the policies and that's I'm grossly generalizing, but maybe they want some of the policies and stuff in place because they want to close the gaps and so they can just carry on growing fast now? I don't know if that's fair from your perspective, but yeah, that's a great point. I think you can still sort of see a desire for those policies with tech companies because the absence of them before might be a looming liability. So there is still some risk associated with that. But I think that is a great point. We do see tech companies or companies interested in acquiring for integration, sort of viewing it as less critical whether there are mature, robust practices in place. This has been really helpful. Gabe, what haven't we asked you that we should have asked you? Well, I guess what I would say in the M and A context is to build off what we were just talking about a moment ago. The thing that would be most useful. Privacy diligence happens a bit differently than other areas of diligence in a corporate transaction. In most areas of legal diligence, the legal work is very document heavy, whereas privacy is very contextual. It's very goal oriented and often requires an understanding of what the business does that isn't well documented. It requires almost understanding how the business operates and works in a way that might be more general and business focused than you would get if you're just looking at employment policies or corporate charters and documents. So the most helpful thing for us when we're advising companies in transactions is to get read in early on, what is the goal of this transaction? What does the business do? What is the market opportunity so that we can help look around the corners and see what would be the issues in the space they want to move? I'd really like to emphasize that it is different to other types of due diligence because I don't want to really say this, but Some parts of a due diligence is a checkbox exercise. Do you have this certificate? Do you have that registration? Do you have that permit? Those kinds of issues. But when it comes to privacy, there is a checkbox. So do they have a data map? Do they have a privacy notice? Do they have DPAs, do they have DPIAs, et cetera. But it's also so important to check under the hood to lift up the carpets and see what is really happening in that organization because you might have the building blocks in place, but then the actual privacy operations are not in a good state. And I've seen that before where cosmetically it looks like they have a privacy program, but it's not been properly implemented. What are the data flows like? Who has access to this data? Is their data being shared without any kind of restriction or limit on this? Which third parties are they using? Sort of. Especially if it's, if it's a tech driven organization or if it's marketing tech driven. Which tools do they use? Which online partners do they have? Where is this data going? Do data subjects know where this data is going? What tabs and handles do they have on this data once it's moving to whatever tracking tech partner that the organization uses? Because those are also the things, I guess, that any organization needs to look at because otherwise you might get into trouble with the California AG or whoever because your tracking tech posture is not healthy. Totally agree. And we're also covering such a wide subject matter, it might seem like a business that isn't high risk, but they happen to use biometric verification software for employees who come in in Illinois and didn't get consent. And now all of a sudden this minor employment practice is the star of the show in the transaction. So we really have to be sort of everywhere at once and know exactly how to focus our resources. You really need to be on top of things because there are also some jurisdictions that catch people out. So for example, in South Africa, I think this is a very rare case. But South Africa's Protection of Personal Information act covers corporate data as if it's people's data. I've seen this happen where in a transaction there's suddenly a whirlwind because everyone is now really worried, what does this now mean? So we have to protect companies information. How do you do that? We were just used to protecting people's information. So are we at risk and what are the risks and how do we do this? Because of. We don't do this in any other jurisdiction. So you need to be aware of the quirks in some jurisdictions in South Africa is just one example. There are lots of others where there are really unique or novel requirements. And you have to figure out how is that going to affect this company that you want to buy. Yeah, totally. Another vote for getting people involved early that know what they're doing. I suppose maybe that's the biggest takeaway today. Yeah, maybe. Rapid fire. Gabe, three things the average company could do like today to start making themselves look more attractive as a target. So number one, I would say, is privacy policy. It's out there. It's visible. Make sure it looks good. Number two is your vendor diligence. If you have vendors that are processing sensitive data, make sure you have contracts with them. Make sure they're appropriate and that you've sort of vetted them correctly. And then number three, I would say is incident response planning. Not every company will get hit with an incident, but a lot of them will. And what matters most is that you've responded appropriately. It's been a really good discussion, very insightful, really thought provoking. Thanks so much, Gabe. Thank you so much for having me. It's great to talk to you both. It's such a pleasure. Kim, thank you so much for making time for us. Oh, yeah, absolutely. That's it for today's episode of Privacy in Practice, brought to you by VeraSafe. We hope today's insights help you navigate privacy challenges with confidence and clarity. If you enjoyed today's conversation, be sure to subscribe so you don't miss out on future episodes. And we'd love to hear from you, share your thoughts, questions, or suggestions for future topics. Send us an email to podcasterasafe.com and to learn more about Vera Safe's data protection and privacy services, you can Visit us@verasafe.com until next time. Best of luck in approaching your privacy challenges in a practical way. See you then.