Privacy Due Diligence in M&A: What Acquirers Actually Look For

Privacy compliance is no longer a back-office concern during M&A transactions. It's a front-page diligence item that directly affects deal terms, valuation multiples, and sometimes whether the deal closes at all.

The shift happened gradually, then suddenly. GDPR enforcement scaled up. Data breach notifications became mandatory and public. Regulatory fines reached the billions. And acquirers — who inherit the target's compliance posture, including its liabilities — started paying attention.

Why Privacy Matters in M&A

Inherited Liability

When you acquire a company, you acquire its compliance history. Open DPA investigations, pending DSAR complaints, and undisclosed data breaches become your problem. Post-acquisition, the surviving entity is responsible for the target's historical processing activities.

The Marriott-Starwood acquisition is the canonical example. Marriott acquired Starwood in 2016 and inherited a data breach that had been ongoing since 2014 but wasn't discovered until 2018. The ICO's resulting fine of GBP 18.4 million was levied against Marriott, not Starwood.

Valuation Impact

Privacy risk is quantified and priced into deals. Common adjustments:

• Open regulatory investigations: Discounted based on probable fine range
• Missing DPAs: Cost to remediate plus risk exposure during gap period
• Inadequate consent mechanisms: Potential revenue impact if consent must be re-collected
• Excessive data retention: Cost to remediate plus breach exposure risk
• Incomplete DSAR processes: Regulatory risk plus operational cost to build

A target with strong, documented compliance practices commands a premium. A target with gaps accepts a discount — or faces indemnity requirements that shift the financial risk back to the sellers.

Integration Complexity

Post-merger integration of two organizations' data processing activities triggers new compliance requirements:

• Updated privacy notices reflecting the new controller
• New or amended DPAs with shared processors
• Data mapping of the combined entity
• Consent review — was consent given to the original entity transferable?
• Employee data handling under the new ownership structure

The better the target's compliance documentation, the faster and cheaper integration is.

What Due Diligence Teams Investigate

1. Data Inventory and Mapping

The first request is always some version of: "Show us your Record of Processing Activities."

Diligence teams want to see:

• Complete inventory of systems processing personal data
• Data types collected per system
• Legal basis for each processing activity
• Data flows between systems and to third parties
• International transfer mechanisms

What they're really assessing: does this organization know what data it has and why it has it?

Red flags: No formal data inventory. Spreadsheet last updated 18 months ago. Systems processing data that aren't documented.

2. DSAR Handling Track Record

Diligence teams request:

• Volume of DSARs received in the past 12-24 months
• Average response time
• Number of late responses
• Number of regulatory complaints
• Process documentation
• Sample anonymized case files showing the process was followed

What they're assessing: is this organization operationally capable of handling data subject rights?

Red flags: No tracking system. Average response time exceeding the legal deadline. Open complaints with DPAs.

3. Data Processing Agreements

The DPA audit is straightforward but surprisingly often reveals gaps:

• List of all processors and sub-processors
• DPA status for each (signed, pending, missing)
• DPA content review for Article 28 compliance
• Sub-processor notification and objection mechanisms

Red flags: Missing DPAs for major processors. DPAs that predate GDPR and haven't been updated. No sub-processor management process.

4. Consent Mechanisms

If the target relies on consent as a legal basis for any processing:

• How is consent collected? (UI screenshots, consent records)
• Is consent specific and granular?
• Can consent be withdrawn easily?
• Are consent records maintained with timestamps?
• Has consent been collected for all current processing activities?

Red flags: Pre-ticked boxes. Bundled consent. No mechanism to withdraw. Consent records that can't be produced.

5. Breach History and Response

• List of all data breaches in the past 3-5 years
• Whether they were notified to authorities
• Whether affected individuals were notified
• Remediation actions taken
• Current security posture

Red flags: Unreported breaches. Repeated similar incidents. No documented incident response plan.

6. Retention and Deletion Practices

• Documented retention schedule
• Evidence that retention rules are enforced
• Verification records showing deletion occurs on schedule
• Backup retention policies

Red flags: No retention schedule. No evidence of deletion. Indefinite data retention.

Preparing for Privacy Due Diligence

If you expect your organization to undergo due diligence — whether for acquisition, investment, or partnership — preparation starts well before the process begins.

Build a Deal Pack

A Deal Pack is a pre-assembled evidence package that demonstrates compliance across all key areas:

1. Data Inventory Export: Complete, current, with legal bases and retention periods
2. DSAR Process Documentation: Policies, procedures, and sample case evidence
3. Retention Verification Records: Evidence that deletion policies are followed
4. Evidence Vault Contents: Hash-locked screenshots and documentation
5. Hash Manifest: Cryptographic proof of evidence integrity

The hash manifest is particularly powerful in a diligence context. When every piece of evidence is SHA-256 hashed at the point of capture, the acquirer can independently verify that nothing was fabricated or modified for the transaction.

Maintain Continuous Compliance

Due diligence isn't a one-time event you prepare for. It's a snapshot of your ongoing compliance practice. If you maintain:

• A living data inventory updated as systems change
• Systematic DSAR handling with evidence capture
• Regular retention verification cycles
• Hash-locked evidence for all compliance activities

...then due diligence preparation is simply exporting what you already have. The organizations that struggle are those trying to reconstruct years of compliance evidence in the weeks between signing a letter of intent and the diligence team's first request.

Address Known Gaps Proactively

Every organization has compliance gaps. Acknowledging and documenting them — with a remediation plan and timeline — is far better than having them discovered during diligence.

Common remediable gaps:

• Missing DPAs: Contact vendors, sign their standard DPAs
• Outdated privacy policy: Review and update to reflect current practices
• No DSAR tracking: Implement a system and start building the track record
• Missing retention schedule: Define and document, then start verification cycles
• Incomplete data inventory: Conduct a systematic review and document

The Deal Readiness Score

Organizations increasingly use readiness metrics to quantify their compliance posture:

• Data Inventory completeness: What percentage of systems are documented?
• DSAR process maturity: Are all steps documented and evidenced?
• DPA coverage: What percentage of processors have signed DPAs?
• Retention compliance: What percentage of rules are verified on schedule?
• Evidence freshness: Is the evidence current or stale?

A weighted score across these dimensions gives both the organization and potential acquirers a quantitative measure of compliance readiness. Tracking this score over time demonstrates a trajectory of improvement.

Key Takeaways

• Privacy compliance directly impacts M&A valuations and deal terms
• Acquirers inherit the target's compliance liabilities, including historical violations
• Due diligence teams investigate data inventory, DSAR handling, DPAs, consent, breach history, and retention
• Preparation starts with maintaining continuous compliance, not scrambling before a transaction
• Hash-locked evidence provides cryptographic proof that compliance documentation is authentic
• Known gaps with remediation plans are preferable to undisclosed issues discovered during diligence