By: Paige Goss
Share This Post
How Data Governance Regulations Impact Investments
In recent years, both private equity and venture capital investment firms have been getting more creative in their portfolios. Investors traditionally focused on other areas have started mining for gold in the tech industry. Investment firms with private sector portfolios are sticking their necks into the federal and defense supplier markets. The result? There are slimmer pickings when it comes to good investment options. And regardless of whether it’s an explicitly technology-based company up for grabs, everyone needs to up their game when it comes to assessing how data governance regulations will impact the bottom line.
Data privacy laws are on the rise, and no matter what a company is selling – products or services – if it’s got a website, these regulations affect the business. Information can’t be tossed into an unretrievable abyss of databases anymore. And meeting the standards set by new regulations means investing in the right kinds of data and security infrastructure.
Benefits of Investing In Data Governance Technology Architecture
Fortunately, since data governance is an issue across the business spectrum, investing in the appropriate technology architecture will lead to increased market potential in both the long and short term. Technology debt is an issue that savvy investors are looking out for. Investing in an asset’s policies, procedures and network configurations undeniably makes the business more profitable if your goal is to sell. It also increases profitability for assets you’re looking to grow. Investing in information architecture allows you to better manage risk, consolidate systems, and potentially grow into enterprise-level markets that were previously unattainable.
Data management and systems integration are becoming increasingly more complex and more expensive as a result of data governance laws. The roll out of GDPR cost companies a reported average of $1.8 million in compliance efforts in 2018 alone.
Failing to adhere to consumer privacy regulations will ultimately cost you – whether that comes in the form of fines, lawsuits, or even having your site banned in certain areas. Data governance is not an issue to ignore, and it’s not an issue that’s going to go away.
Data Governance Laws That Impact All Businesses
As of 2020, the United States doesn’t have an all-encompassing federal law regulating data privacy. That might change, that might not. Right now, the Federal Trade Commission Act (FTCA) casts a pretty wide net around enforcing privacy laws and preventing “deceptive trade practices.” The FTCA doesn’t actually dictate what companies have to include in their privacy policies, but it does allow the Federal Trade Commission to lay the smack down on companies who stray outside the bounds of appropriate behavior.
Here are just a few of the things that can get businesses in trouble with the FTC:
- Failing to maintain adequate security infrastructure for consumer’s personal data.
- Failing to abide by industry-standard self-regulatory principles.
There are also a host of laws dealing with industry or consumer-specific information collection, such as the Children’s Online Privacy Protection Rule (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), and, of course, the Fair Credit Reporting Act – all of which have to be taken into account when performing due diligence on a potential investment. Data privacy is a vital aspect of governance, risk management, and compliance for any organization. And it’s only going to get more complicated as time goes on.
More and more, states are taking the reigns and passing their own laws. So, if the company you’re considering investing in does any kind of interstate commerce (i.e. it’s a company operating in the 21st Century and not the ice age), then data regulations will impact the bottom line.
The California Consumer Privacy Act has had far reaching implications for businesses of every size. In case you missed it, the law in California means that any business (anywhere) that collects information about California residents is now subject to California’s data privacy law. Selling software as a service to any residents in California? It applies. Providing remote coaching sessions to Silicon Valley executives in need of fashion advice? It applies. Shipping antique baby buggies to a handful of boutiques in Orange County? It applies. And for each of these instances, any California resident whose data is stored in a company’s system can request to have that data deleted.
Avoid Tech Debt by Assessing the Network Architecture of Potential Investments
If that doesn’t sound like such a big deal, then you probably don’t have a lot of experience with sensitive data migration and consolidation. The network architecture of your system probably wasn’t designed to easily facilitate quick retrieval and deletion of data. Not only does customer data have to be containerized and protected in new ways, you also have to maintain a support structure that allows your IT team to omit and delete information.
So, it’s increasingly important to take a long hard look at a potential investment’s network architecture before pulling the trigger. When investors move quickly to get a baseline up and running without taking a broad view of a company’s network architecture and sensitive data, it’s a recipe for trouble down the road. Too often, that strategy sets investors on a perpetual path of fixing issues for as long as they own the asset. It can also knock a hefty amount off a company’s sale price. Tech debt is a real thing. So, if your goal is to sell, understand that savvy buyers are getting better at sniffing that out.
Your best bet for having assessing your areas of risk is having a security infrastructure expert on hand to help with pre-diligence. Investing in a technology risk assessment will ensure you have a clear sense of the value of the asset you’re purchasing. It will also guard against misleading assurances that existing systems are up to snuff. When it comes to consumer privacy regulations, how a company stores and maintains its data is an increasingly relevant question to bring to the due diligence conversation.