In this short video, Privacyrules expert Padraig Walsh from the Hong Kong-based law firm Tanner De Witt, delves into an investigation report that sheds light on data privacy errors within M&A transactions.
In this case, the investigation centered around EC Healthcare, a Hong Kong-based business that grew through acquisitions, amassing 39 brands in healthcare. 28 of these used a centralized data sharing system for sensitive health data. However, their mistake came when they omitted a clear data transfer notice. This led to complaints and a regulatory investigation by the Office of the Privacy Commissioner for Personal Data in Hong Kong (PCPD). The outcome: an enforcement notice, stopping unauthorized data sharing and requiring lawful practices for future sharing.
Key takeaways from this incident and the PCPD’s recommendations extend beyond Hong Kong’s borders:
– Foresee Data Privacy Implications in M&A Transactions: Anticipate and address data privacy concerns during M&A deals. Addressing these issues upfront ensures smoother integration and compliance with privacy regulations.
– Seek Necessary Consents and Notifications: Obtain consents or notifications as per the applicable laws. The transparency in informing data subjects about data usage intentions goes a long way in maintaining compliance.
– Data Usage Transparency: Understand the legal boundaries of using collected data. When data is intended for a new purpose, secure fresh express consent from the individuals involved.
– Conduct Privacy Impact Assessments: evaluate the impact of M&A transactions on the privacy of customer and personnel data. Demonstrating sensitivity and compliance through these assessments helps establish trust.
– Robust Policies and Processes: Establish protocols to gain consent in case of data sharing. Alternatively, be prepared to isolate data if consent isn’t granted.
– Privacy Training Programs: embed awareness and understanding of personal data rights and usage within your organization. Education ensures responsible data management from top to bottom.
– Implement Privacy Management Programs: Introduce comprehensive privacy management across the organization, ensuring adherence to a coherent policy even with newly integrated entities.
As a DPO, the EC Healthcare case serves as a reminder of the intricate interplay between data privacy and business operations. Regardless of your location, industry, or context, these insights reflect the need to remain vigilant in safeguarding personal data amongst the dynamic landscape of mergers and acquisitions.