So, you’ve been waiting for years for this.  You have built your company up, done all the right things and finally an offer comes in the door from a prospective purchaser.  They are just the right fit – a multi-national organisation saying all the right things with an offer that might just see you sitting on that island in Bermuda after years of hard slog.


The data room is set up and the purchaser starts the due diligence phase.  It’s ok – you’ve got all this covered. But wait...there’s a full page of due diligence questions on data protection!


When it comes to the GDPR, many companies are operating a “surface-level” compliance strategy.   They might have updated their privacy statement (Marie explains just how important this is here), provided some basic training for employees and maybe put a Data Protection Policy in place.  That’s it – JOB DONE, what was all the fuss about?

Many of Fort Privacy’s clients are preparing for M&A activity or are currently in the hot seat in the due diligence phase.  And the due diligence process is asking in-depth questions. Not simply whether you have documentary evidence of compliance but checking if you can demonstrate compliance.

Here is a summary of the 12 most common M&A due diligence questions when it comes to data protection. How well can you answer these questions?

  • Provide a copy of your Data Catalogue
  • Describe – and defend – your Lawful Basis for all your processing activities
  • Provide a copy of all privacy statements and notices to data subjects including employees and customers
  • Provide a copy of all Data Protection Impact Assessments (DPIA’s) and Legitimate Interest Assessments undertaken
  • Provide a copy of all your data protection policies including data protection policy, breach policy, data subject access request policy, data retention policy and CCTV policy
  • Produce documentation demonstrating adherence to the policies listed above
  • Provide a copy of your documented technical and organisational measures
  • Demonstrate your Breach Management activities going back for at least 6 years
  • Show evidence that you have undertaken supplier due diligence
  • Produce copies of all relevant customer and supplier data processing agreements and the agreed technical and organisational measures.
  • Describe the documented transfer mechanisms for all international transfers of personal data
  • Demonstrate that staff have been trained and are legally bound to treat personal data confidentially
  • Provide a copy of data protection audits undertaken in the past 6 years
  • Provide any relevant certifications


It would be more than a little bit difficult to get past these questions with just a privacy statement and some training. Any prospective purchaser is going to want to know that you have your house in order. 

At best, it’s going to affect the purchase price and/or the warranties being asked of the seller because (i) the purchaser has a big job to do after the acquisition and (ii) the acquisition will be viewed as a much riskier proposition. 

At worst – the purchaser walks away. There’s always a possibility that a nervous purchaser with doubts over the acquisition might walk away if the due diligence responses are not up to scratch.   


There are lots of reasons why it’s a good idea to be more than compliant at a surface level with the GDPR. In the M&A playing field where there’s always another company competing for that golden opportunity, it’s vital to put some real work into your GDPR compliance programme – it will save you a lot of heartache in the long run.  Contact Us if you need help with getting M&A ready.  We can assess your current compliance levels and get you to well-positioned to answer the hard questions.

Data Protection Due Diligence on Seller

When a prospective buyer in a Merger and Acquisition is doing their due diligence on the seller part of this process will invariably be a full page of protections on data protection. Avoid the common pitfalls by downloading our guide on due diligence.

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information


12 June 2024

My personal favourite old Chinese curse, "May you live in interesting times," feels particularly relevant these days. Our world is changing, with both exciting possibilities and daunting challenges emerging on every front. Change, after all, is a double-edged sword. And amidst this whirlwind of change, a new force is rapidly taking shape: Artificial Intelligence.

Crash, Bang, Wallop! What happens when Artificial Intelligence meets GDPR?

07 March 2024

As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!

The Great 2024 GDPR Quiz!

08 January 2024

Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.

Scroll to top