By Bibitayo Emmanuel Ojo
Nigeria’s M&A environment is sizzling. A record of $3.8 billion deals were concluded in 2024. These transactions include high-profile businesses like Renaissance’s $2.4 billion acquisition of SPDC, Chappal Energies’ $860 million acquisition of TotalEnergies onshore assets, Seplat’s $800 million acquisition of MPNU, Oando’s $783 million acquisition of NAOC. Financial institutions are also not left out, such as the transaction of Access Pensions and ARM Pension that birthed Access ARM Pensions Limited, the acquisition of Rand Stockbrokers Ltd by Zedcrest and the low-key transaction between Providus Bank and Unity Bank, among others.
Amid the frenzy, a fundamental risk gets overlooked: data protection.
In carrying out a M&A, a key transaction component is the due diligence exercise on the target entity.
Due diligence stands as the crucial pillar, underpinning successful transactions and mitigating potential pitfalls. It serves as an investigative lens for scrutinising every facet of an impending deal, backed by meticulous research and analysis.
Checking through most due diligence reviews, keen attention is given to the legal, financial, and tax status of the target business. Interestingly, in an economy driven by data, low or no attention is given to operational and regulatory risks associated with data processing activities of the targeted business.
The Hidden Time Bomb: Data Liabilities
When you acquire a company, you inherit its liabilities, including hidden data breaches. Think of Marriott. In 2016, Marriott International acquired Starwood Hotels, inheriting a massive database that included sensitive personal information. Unfortunately, this database had been compromised by hackers since 2014, resulting in one of the largest data breaches in history. The breach exposed the personal information of up to 500 million guests, including names, email addresses, phone numbers, passport numbers, and credit card details. The breach highlighted the importance of conducting thorough due diligence on data protection practices during M&As. Marriott was fined £18.4 million by the UK’s Information Commissioner’s Office (ICO) for failing to implement adequate safeguards to protect personal data.
A subtle reminder, whether you are acquiring the asset or liability of a targeted business, the issue of data protection and privacy remains unique. There is a need for critical evaluation of the organisational and technical measures your targeted business has put in place to ensure compliance with the data protection laws and regulations.
Why Data Protection Matters to Your Bottom Line:
Nigerian Data Protection Commission can hit you with fines of up to 2% of your annual revenue for non-compliance. That’s a serious financial blow. Plus, a data breach destroys customer trust and damages your reputation. This is a risk you can’t afford to take.
As an acquiring organisation, it is crucial to conduct thorough due diligence on the data protection practices of target companies. The Marriott International data breach serves as a stark reminder of the risks associated with data protection in M&As.
Key Steps for Smart Businesses
To navigate the complexities of data protection in M&As effectively, Nigerian businesses should adopt the following strategies:
- Conduct Thorough Due Diligence: Aside from assessing the legal, financial and tax status of a targeted business, pay attention to the compliance status of your targeted business with the NDPA. A thorough review of the data protection policies and procedures, data security measures, and compliance history of a targeted business would help identify potential risks and liabilities.
- Review Contracts and Agreements: Ensure that contracts with third-party data processors and vendors include data protection, confidentiality, and indemnity clauses to protect your interest. This is crucial for protecting against breaches and ensuring that liabilities are clearly defined. This also applies to a cloud storage provider.
- Assess Security Infrastructure and Vendor Management: Evaluate technical measures in place to protect personal data from unauthorized access, such as encryption, access controls, and incident response plans, especially for vendors that handle data storage. Also ensure that data stored in the cloud is accessible at any given time. Hence, a backup recovery exercise must be conducted periodically to ascertain that data stored in the cloud is always available and accessible.
- Cross-Border Data Transfers: If the target company engages in cross-border data transfers, ensure compliance with the NDPA’s provisions. This includes verifying that the recipient country has an adequate level of data protection or obtaining necessary approvals from regulatory bodies.
- Employee and Vendor Training: Conduct training sessions for all employees and vendors on data protection best practices to maintain a culture of compliance within the organization. The contract staff, agents, and the low cadre officer, such as the security, are not to be left out.
Conclusion
Non-compliance with the Nigeria Data protection laws and regulations can cost your organisation 2% of your previous annual revenue, reputational damage, and vicarious liability of senior management. Yes, Compliance is not cheap, but non-compliance is costlier. To mitigate risks and ensure compliance with the NDPA, organizations should not conduct due diligence without involving privacy professionals. A privacy professional will provide critical insights into potential data protection risks and help develop strategies to address them. Integrating privacy professionals into your M&A transactions would help safeguard personal data, build trust with stakeholders, and avoid the financial and reputational consequences of non-compliance.
As Nigeria’s data protection landscape continues to evolve, embrace a proactive approach to compliance with data protection laws and regulations. Big brother is watching you. Selah 1000!
🔗 ======================================
I am Bibitayo Emmanuel Ojo
A Regulatory Compliance Analyst.
bibitayo@digitallord.com.ng