Mergers and Acquistions

If you are looking to attract a buyer or an investor for your business, privacy is now a key factor in any due diligence that is carried out on your business – and a robust, sustainable privacy programme is essential to kick-start corporate transactions.  Simply claiming you are GDPR-compliant is not good enough – ultimately, it is likely to be untrue and will immediately raise suspicions with most third parties.

In our experience,, an increasing number of would-be buyers or investors have outsourced this privacy due diligence to expert data protection consultants who are able to uncover and identify potential gaps in data protection frameworks (gaps the untrained eye wouldn’t spot) – some of which may reveal potential privacy risks, or in extreme cases, actual data breaches which are deemed reportable to the ICO and, by default, trigger a full privacy investigation.

These risks could force the interested party to withdraw entirely, therefore setting you back to square one. Not only are you searching for new financial interest but also addressing serious key privacy issues – which could take months to address.

With this in mind, ahead of speaking to potential third parties, Privacy Helper will work closely with your business and conduct an independent GAP analysis. If a GAP analysis has already been conducted, then we will review this documentation, however, it may be necessary to conduct a fresh review of certain areas based on any remediation you have done since.

Our GAP analysis process and follow-up report will immediately identify any areas that could be cause for concern with the third parties – and our team will create a project plan to address any areas for remediation.

In many cases, remediation work will need to be underway with specific tasks completed, thus making your commitment to privacy demonstrable to third parties ahead of engaging formally in talks.

Our data protection specialists will also provide regular updates to any parties (internal or external) confirming what progress is being made and giving them the confidence that the business is committed to protecting the privacy of the individuals whose personal data you collect and process.

Speak to us today to be sure your business has a privacy programme you be proud of and one that potential third-party investors will be impressed by – with our help, your commitment to data protection becomes a huge selling point and makes your business highly desirable over other companies that have failed to address these crucial issues.

In the pre-GDPR days, buyers and investors would conduct the necessary due diligence on an organisation. Evidence of data governance and data protection frameworks weren’t a priority.

Compliance with data protection legislation is now a key consideration ahead of investing in an outside organisation – and the ICO has already demonstrated this, much to the frustration of Marriot Hotels…

In 2016, Marriot International bought Starwood Hotels, creating the largest hotel chain in the world. Unfortunately, their due diligence during the buying process was poor and they failed to spot a major data breach within Starwood which affected around 339 million guests. The breach, which dates back to 2014, was only discovered in 2018.

Following an investigation, the ICO issued an “intention to fine” notice of £99m – only the second proposed enforcement under the GDPR – and significantly larger than the £500,000 maximum fine under the previous Data Protection Act 1998.  When they announced the intention to fine, the ICO observed that Marriot had failed to properly review Starwood’s data protection practices and should have done more to secure its systems.

As a third party buying into an existing company, you will be responsible for the personal data the business holds – this includes carrying out proper and detailed due diligence when making a corporate acquisition.

Clients who engage with our team of privacy specialists can be confident that our due diligence work is meticulously detailed – we leave no stone unturned in our search for any processes or systems that may suggest a compromise of the GDPR and where there is an undue risk to personal data held by the company.

We will:

Conduct a full and detailed review of all 3rd party supplier contracts – In the event of a data breach, the data controller vs data processor relationships must be protected by contract. Many companies simply engage with their usual business lawyers for this, however, they don’t have the required understanding of data protection legislation, so this creates a risk.

Conduct a full and detailed review of all IT systems and processes – To prevent a repeat of the Marriot breach, our IT privacy specialists will ensure all databases are afforded the appropriate levels of protection and there are no suspicious activities around these.

Penetration Testing (Pen-testing) – Our online specialist will conduct pen tests to demonstrate there are no online weaknesses within the business that could put you at risk of hackers.

Records Management/Article 30 – Our records management experts will check there are appropriate filing systems in place for personal data within the business – and all policies reflect the legal basis of all records… they are not just meaningless documents, written once and then forgotten about.

Marketing – If the business conducts outbound marketing, does this satisfy the marketing legislation (Privacy & Electronic Communication Regulation, 2003)? If the business is found to be in breach of this, then the ICO has the power to fine the specific business owner £500,000.

Off the back of this due diligence, we will submit a detailed report on our findings and our recommendations as to remediation in line with the GDPR.