February 15, 2022

contracts data breach data privacy contracts consulting mergers and acquisitions data protection contract remediation

Companies have started diligently reviewing their contracts with customers and suppliers to determine non-compliance with regulations and operational practices in their companies. Elevate is often engaged to review buy- and sell-side agreements to determine if remediation is necessary for specific contract provisions. We extract these provisions, compare them to language in a playbook we construct with our customers, then re-paper the agreements. Sometimes it’s an amendment to an existing agreement, and sometimes it necessitates a new agreement.

Elevate applies these same services in an M&A due diligence context. To make a recommendation on whether the transaction should go through (let’s assume our customer is on the buy-side), we consider:

• What obligations would our customer assume?
• Where do the risks (and opportunities) exist?
• Where would they have the latitude to use customer data to improve their own AI algorithms or conduct analysis that can be more broadly applied?
• Where are the limitations (of course, this varies by geography due to different data protection and privacy regulations)?
• Which agreements would need attention once the transaction is complete to ensure that company operational practices reflect the provisions and current regulations?
• Are there any lessons to be learned through these contract provisions (of the target company) that can inform our customers’ own data privacy/protection practices?

These are all preventative approaches. They lie on a continuum from readiness to response. In the event of a suspected data breach, our team can identify the privacy implications within 72 hours with a global team that is available 24×7. We quickly create notification lists and identify sensitive information.

Much of the response work can also be made more efficient by invoking the methods mentioned above. Data privacy and data protection as a continuum rather than a point-in-time exercise may not reduce the risk of an incident. However, if/when one occurs, it will give an organisation the confidence it is acting in good faith to protect the information in its care.