M&A Privacy Due Diligence

Privacy compliance is one of the most underestimated risks in M&A transactions. An acquisition target's GDPR posture can affect deal valuation, drive purchase price adjustments, create indemnification disputes, or in extreme cases kill the deal. This page covers what privacy due diligence actually looks at, what to do when problems are found, and how to scope remediation.

What buyers actually look for

A serious privacy due diligence examines six areas:

  • Lawful basis and processing legitimacy. Has the target documented lawful basis for each processing activity? Is consent properly obtained where required? Are legitimate interest assessments documented?

  • Data subject rights operations. Can the target demonstrate it responds to DSARs within statutory timelines? Are deletion requests honored fully? Has the target tracked and responded to recent rights requests?

  • Breach history and notification. Has the target had personal data breaches? Were they properly notified to supervisory authorities and data subjects? Are there pending or unresolved breach matters?

  • International transfers. What mechanisms govern transfers of personal data outside the EU? Are Standard Contractual Clauses current? Have Transfer Impact Assessments been conducted? Is the target relying on the EU-US Data Privacy Framework, and is the certification current?

  • Vendor and processor management. Are Data Processing Agreements in place with all processors? Is the sub-processor list current and disclosed? Are sub-processor changes managed properly?

  • Regulatory exposure. Are there pending supervisory authority inquiries, complaints, or investigations? Has the target been fined? Are there pending data subject lawsuits?

What gets uncovered

In our experience supporting M&A diligence for tech acquisitions, common findings include:

  • Inadequate or missing Records of Processing Activities. Often the target has fragments of documentation but nothing meeting GDPR Article 30.

  • Stale privacy notices. Privacy notices that have not been updated for recent product or processing changes.

  • Untracked data flows. Personal data is flowing to vendors or sub-processors that the target's privacy team is unaware of.

  • Inadequate consent records. The target collects consent but cannot demonstrate consent retention or evidence of how consent was obtained.

  • Unhandled DSARs. Old DSARs that were never properly responded to.

  • International transfer gaps. Reliance on outdated SCCs or no transfer mechanism at all for transfers to non-EU vendors.

  • DPO appointment issues. The target may have been required to appoint a DPO under Article 37 and either has no DPO or has a DPO who is not properly qualified or independent.

Impact on the deal

Privacy findings can affect a deal in several ways:

  • Purchase price adjustment. Material findings may justify a downward purchase price adjustment. Quantifying privacy risk is imperfect but rule-of-thumb estimates include 1 to 5 percent of annual revenue at risk for serious compliance gaps, more for active regulatory matters.

  • Escrow or holdback. A portion of purchase price held in escrow pending resolution of specific privacy issues, with release tied to completion of remediation work.

  • Indemnification. Specific representations and warranties regarding privacy compliance, with buyer indemnification for breach of those reps. Privacy reps are increasingly common in tech M&A.

  • Conditions to closing. Specific privacy remediation work required before closing. Examples: completing required DSAR responses, executing missing DPAs, appointing a DPO.

  • Material adverse change. In serious cases, privacy findings can constitute a material adverse change permitting the buyer to walk.

Post-close remediation

Most acquisitions close with known privacy issues that the buyer commits to remediate post-close. Typical remediation includes:

  • Privacy program harmonization. Aligning the target's privacy program with the buyer's standards. Often easier said than done if the target has a substantially different operating model.

  • Documentation rebuild. Building or rebuilding RoPA, privacy notices, internal policies, vendor lists.

  • Vendor contract update. Executing or updating Data Processing Agreements with all processors.

  • Transfer mechanism update. Implementing current SCCs and Transfer Impact Assessments.

  • DPO transition. If the target had no DPO or had an inadequate DPO appointment, transitioning to a proper DPO arrangement.

  • Regulator engagement if needed. For pending matters, coordinating with the relevant supervisory authority.

The typical post-close remediation timeline is 6 to 12 months for a mid-stage tech company.

How Engage Compliance helps

We support both sides of M&A privacy work:

  • For buyers conducting diligence on a target. We review the target's privacy program, identify gaps, quantify exposure, and recommend deal terms reflecting the findings.

  • For targets preparing for sale. We help the target build privacy posture before going to market, addressing common diligence findings preemptively.

  • For acquirers post-close. We deliver remediation work, often as fractional DPO transitioning to the buyer's privacy team or remaining as ongoing fractional support.

We typically engage on focused project basis for diligence work, with fees scaling to deal size and complexity.

Get started

If you have an M&A transaction in flight and need privacy diligence support, book a consultation. We can scope and start within a few days.