Suppose that you are running a company that stores PII, in order to... Generate credit reports that banks and car loan places can use to evaluate your credit-worthiness.
Suppose (Shockingly!) that you operate in a country with strict regulation about how you can store sensitive PII. Suppose that in order to operate your business, you need to be in compliance.
Your business processes have to pass regulator audits - you need to limit access to your data, you need to keep it encrypted while at rest, you need to take steps to prevent exfiltration...
Suppose that you're in compliance, you are licensed to operate with PII and life's great.
Now, suppose that another company, called FaxEqui buys you. They come in, institute all their own business processes, open up all customer data to interns, change all passwords to admin/admin, unencrypt your database, and have a direct link between your PII, and the internet. None of this is in compliance with the regulatory environment.
The regulator takes one look at this, and pulls their license. They FaxEqui then proceeds to write to anyone who will listen, to complain about how unfair it is that 'their' license was revoked.
The point of this licensing process is to audit and control a company's internal processes. Buying a company that has such a license does not magically bring your own internal processes into compliance.
Suppose (Shockingly!) that you operate in a country with strict regulation about how you can store sensitive PII. Suppose that in order to operate your business, you need to be in compliance.
Your business processes have to pass regulator audits - you need to limit access to your data, you need to keep it encrypted while at rest, you need to take steps to prevent exfiltration...
Suppose that you're in compliance, you are licensed to operate with PII and life's great.
Now, suppose that another company, called FaxEqui buys you. They come in, institute all their own business processes, open up all customer data to interns, change all passwords to admin/admin, unencrypt your database, and have a direct link between your PII, and the internet. None of this is in compliance with the regulatory environment.
The regulator takes one look at this, and pulls their license. They FaxEqui then proceeds to write to anyone who will listen, to complain about how unfair it is that 'their' license was revoked.
The point of this licensing process is to audit and control a company's internal processes. Buying a company that has such a license does not magically bring your own internal processes into compliance.