In the latter half of 2017, pharmaceutical industry leaders increased their mergers & acquisitions (M&A) activity to gain synergies by joining and rationalizing assets. Similarly, industry analysts suggest that 2018 will see a return in the pharmaceuticals M&A deal landscape to higher levels than recent years.1
These M&A deals promise to continue to offer value, with Accenture Strategy research finding that 50 percent of pharma executives anticipate their M&A activity will drive between a quarter and half of projected growth in the next two years.2 With such high expectations, digital considerations are more pressing than ever—not the least of which is the European Union’s Global Data Protection Regulation (GDPR) that went live on May 25, 2018.
While cyber-related due diligence is not new to the M&A process, GDPR compounds the risk during pre- and post-merger periods vis-à-vis the threat of substantial monetary penalties. If missed or not addressed, GDPR violations can result in penalties of up to 4 percent of an acquiring company’s global revenue and can nullify any gains realized in the process.
This makes assessing a target’s GDPR readiness during due diligence a crucial step in the M&A life cycle. Accenture Strategy recommends that acquisitive companies take a series of actions that focus on the nuances of GDPR and its impact to data handling and subject privacy.
How to get ahead of the risks:
Step 1. Assess the target company’s GDPR compliance using a maturity assessment framework. An overwhelming majority of Pharma companies surveyed (89 percent) had either acquired or were considering the acquisition of another company to gain talent or technology in 2017.3 As technology acquisitions continue to drive Pharma M&A, it is imperative to assess the target’s GDPR readiness. There are some key actions to pursue when evaluating a target’s GDPR compliance:
- Determine if the target company stands on firm legal ground to control or process subject data.4
- Evaluate policies and procedures around consent, subject access requests and handling of data breaches.
- Conduct Data Privacy Impact Assessments, when possible, to gauge processing operations that are likely to result in a high risk to the rights and freedoms of individuals.
Step 2. Evaluate any third-party contracts. Pharma acquisition targets—even if they have robust GDPR programs to handle clinical trial subject or similar data—may still have third-party contracts that could impact data protection and privacy exposure subject to GDPR. This is critically important to the assessment of the target company as GDPR investigations and penalty actions in third-party companies may trigger cascading actions that could involve the target and therefore the acquiring company.
Step 3. Catalog risk scenarios and proceed accordingly. Where GDPR-related matters are a risk, as with any other risk, assign a severity and potential cost—whether that means IT integration costs, potential legal fees in the event of non-compliance, or post-breach remediation. As pharma-related subject data is considered extremely sensitive in the context of GDPR, the cost of each risk scenario may be significantly higher than in other industries and impact the decision calculus to proceed or not.
Learning a target company’s GDPR readiness, understanding potential downstream impacts from its data-sharing relationships and formulating an acceptable level of measured risk based on well-informed scenarios are key preventive steps to shield companies from monetary penalties related to GDPR.
1 Pharmaceutical M&A deals in 2017
2 Accenture Strategy, “Revenue Growth: Perception or Reality?”, 2017
3 Accenture Strategy, M&A research, 2017
4 Article 4, General Data Protection Regulation