Book a call
Book a call

M&A Privacy Due Diligence

Privacy compliance is one of the most underestimated risks in M&A transactions. An acquisition target's GDPR posture can affect deal valuation, drive purchase price adjustments, create indemnification disputes, or in extreme cases kill the deal. This page covers what privacy due diligence actually looks at, what to do when problems are found, and how to scope remediation.

By Julian Gage Last reviewed: 22 February 2026

Key takeaways

  • Buyers examine privacy across several areas during M&A diligence.
  • What gets uncovered can affect deal value, timing, or terms.
  • Post-close remediation is common but avoidable.
  • Engage prepares companies on both sides of a deal.

What buyers actually look for

A serious privacy due diligence examines six areas:

  • Lawful basis and processing legitimacy. Has the target documented lawful basis for each processing activity? Is consent properly obtained where required? Are legitimate interest assessments documented?

  • Data subject rights operations. Can the target demonstrate it responds to DSARs within statutory timelines? Are deletion requests honored fully? Has the target tracked and responded to recent rights requests?

  • Breach history and notification. Has the target had personal data breaches? Were they properly notified to supervisory authorities and data subjects? Are there pending or unresolved breach matters?

  • International transfers. What mechanisms govern transfers of personal data outside the EU? Are Standard Contractual Clauses current? Have Transfer Impact Assessments been conducted? Is the target relying on the EU-US Data Privacy Framework, and is the certification current?

  • Vendor and processor management. Are Data Processing Agreements in place with all processors? Is the sub-processor list current and disclosed? Are sub-processor changes managed properly?

  • Regulatory exposure. Are there pending supervisory authority inquiries, complaints, or investigations? Has the target been fined? Are there pending data subject lawsuits?

For targets that build or deploy AI, we also review AI governance and EU AI Act exposure alongside the GDPR position, since the two regimes increasingly overlap.

What gets uncovered

In our experience supporting M&A diligence for tech acquisitions, common findings include:

  • Inadequate or missing Records of Processing Activities. Often the target has fragments of documentation but nothing meeting GDPR Article 30.

  • Stale privacy notices. Privacy notices that have not been updated for recent product or processing changes.

  • Untracked data flows. Personal data is flowing to vendors or sub-processors that the target’s privacy team is unaware of.

  • Inadequate consent records. The target collects consent but cannot demonstrate consent retention or evidence of how consent was obtained.

  • Unhandled DSARs. Old DSARs that were never properly responded to.

  • International transfer gaps. Reliance on outdated SCCs or no transfer mechanism at all for transfers to non-EU vendors.

  • DPO appointment issues. The target may have been required to appoint a DPO under Article 37 and either has no DPO or has a DPO who is not properly qualified or independent.

Impact on the deal

Privacy findings can affect a deal in several ways:

  • Purchase price adjustment. Material findings may justify a downward purchase price adjustment. Quantifying privacy risk is imperfect but rule-of-thumb estimates include 1 to 5 percent of annual revenue at risk for serious compliance gaps, more for active regulatory matters.

  • Escrow or holdback. A portion of purchase price held in escrow pending resolution of specific privacy issues, with release tied to completion of remediation work.

  • Indemnification. Specific representations and warranties regarding privacy compliance, with buyer indemnification for breach of those reps. Privacy reps are increasingly common in tech M&A.

  • Conditions to closing. Specific privacy remediation work required before closing. Examples: completing required DSAR responses, executing missing DPAs, appointing a DPO.

  • Material adverse change. In serious cases, privacy findings can constitute a material adverse change permitting the buyer to walk.

Post-close remediation

Most acquisitions close with known privacy issues that the buyer commits to remediate post-close. Typical remediation includes:

  • Privacy program harmonization. Aligning the target’s privacy program with the buyer’s standards. Often easier said than done if the target has a substantially different operating model.

  • Documentation rebuild. Building or rebuilding RoPA, privacy notices, internal policies, vendor lists.

  • Vendor contract update. Executing or updating Data Processing Agreements with all processors.

  • Transfer mechanism update. Implementing current SCCs and Transfer Impact Assessments.

  • DPO transition. If the target had no DPO or had an inadequate DPO appointment, transitioning to a proper DPO arrangement.

  • Staff privacy training. Bringing the merged organization onto a common privacy training baseline so both sides operate to the same standard.

  • Regulator engagement if needed. For pending matters, and for any DPO or controller changes that require notification, coordinating with the relevant supervisory authority.

The typical post-close remediation timeline is 6 to 12 months for a mid-stage tech company.

How Engage Compliance helps

We support both sides of M&A privacy work:

  • For buyers conducting diligence on a target. We review the target’s privacy program, identify gaps, quantify exposure, and recommend deal terms reflecting the findings.

  • For targets preparing for sale. We help the target build privacy posture before going to market, addressing common diligence findings preemptively.

  • For acquirers post-close. We deliver remediation work, often as an outsourced DPO transitioning to the buyer’s privacy team or remaining as ongoing outsourced support.

We typically engage on a focused project basis for diligence work. Buy-side assessments are scoped as a project from €5,000, depending on the target’s size, complexity, and jurisdictions. Ongoing DPO support for the combined entity follows our standard retainer pricing, set out in the outsourced DPO cost guide.

Get started

If you have an M&A transaction in flight and need privacy diligence support, book a consultation. We can scope and start within a few days.

  • Same-business-day response
  • Professional indemnity and cyber insurance
  • Named DPO notified to the supervisory authority
Book a free intro call Free risk assessment

FAQ

Frequently asked questions

What does privacy due diligence actually examine?

A serious review examines six areas: lawful basis and processing legitimacy, data subject rights operations, breach history and notification, international transfers, vendor and processor management, and regulatory exposure such as pending supervisory authority inquiries, complaints, fines, or lawsuits.

What problems most often surface in a target?

Common findings include inadequate or missing Records of Processing Activities, stale privacy notices, untracked data flows to vendors and sub-processors, weak consent records, unhandled DSARs, international transfer gaps such as outdated Standard Contractual Clauses, and DPO appointment issues under Article 37.

How do privacy findings affect a deal?

They can drive a purchase price adjustment, an escrow or holdback pending remediation, specific indemnification through privacy representations and warranties, conditions to closing such as executing missing DPAs or appointing a DPO, and in serious cases a material adverse change letting the buyer walk. Rule-of-thumb exposure estimates run 1 to 5 percent of annual revenue for serious compliance gaps.

We are buying with known issues. How long does cleanup take?

Most acquisitions close with known issues remediated afterward. Typical post-close remediation runs 6 to 12 months for a mid-stage tech company and covers privacy program harmonization, documentation rebuild, vendor contract updates, transfer mechanism updates, DPO transition, and regulator engagement for any pending matters.

Can you support both the buyer and the seller?

Yes. We review a target and quantify exposure for buyers, help targets build privacy posture before going to market, and deliver post-close remediation for acquirers. We typically engage on a focused project basis with fees scaling to deal size and complexity, and can scope and start within a few days.

Related

ServiceOutsourced DPO servicesPricingOutsourced DPO cost guideServiceEnterprise deal privacy readinessServiceInvestor due diligence privacy