Mergers and Acquistions

Close the deal fast and get concise, clear guidance with step-by-step fixes

Why GDPR could put a spanner in the works… There are two sides to this…

Firstly, if your company is looking to attract a buyer, or investors in the near future, then it is likely your preparations for GDPR – and your ability to demonstrate these preparations – will be key to the success of this. In a post-GDPR world, many would-be investors or buyers deem non-GDPR-compliant businesses too much of a risk.

Secondly, if you are looking to buy, or invest in a business, then you have a responsibility to conduct the appropriate due diligence and ensure the business you hope to become involved with is able to prove they have an active, ongoing privacy programme.  Can they demonstrate the final key principle of the GDPR – accountability of their obligations as a data controller?

Significant “intention to fine” notices totalling £282 million have already been issued by the UK ICO for this – if you can’t demonstrate due diligence, you could also be under investigation.

Whichever side you fall into, our specialist privacy team can help by either addressing key areas in your business that COULD delay your investment or buy-out plans, OR, give you the reassurance to proceed with your plans, safe in the knowledge that the privacy programme has been independently evaluated and approved as being robust and on-track.

Call the team today and we can immediately schedule your engagement – in most cases, such is the size and flexibility of our specialist privacy consultant network, we can begin work the same week.

Attracting a buyer/investor

If you are looking to attract a buyer or an investor for your business, privacy is now a key factor in any due diligence that is carried out on your business – and a robust, sustainable privacy programme is essential to kick-start corporate transactions.  Simply claiming you are GDPR-compliant is not good enough – ultimately, it is likely to be untrue and will immediately raise suspicions with most third parties.

In our experience,, an increasing number of would-be buyers or investors have outsourced this privacy due diligence to expert data protection consultants who are able to uncover and identify potential gaps in data protection frameworks (gaps the untrained eye wouldn’t spot) – some of which may reveal potential privacy risks, or in extreme cases, actual data breaches which are deemed reportable to the ICO and, by default, trigger a full privacy investigation.

These risks could force the interested party to withdraw entirely, therefore setting you back to square one. Not only are you searching for new financial interest but also addressing serious key privacy issues – which could take months to address.

With this in mind, ahead of speaking to potential third parties, Privacy Helper will work closely with your business and conduct an independent GAP analysis. If a GAP analysis has already been conducted, then we will review this documentation, however, it may be necessary to conduct a fresh review of certain areas based on any remediation you have done since.

Our GAP analysis process and follow-up report will immediately identify any areas that could be cause for concern with the third parties – and our team will create a project plan to address any areas for remediation.

In many cases, remediation work will need to be underway with specific tasks completed, thus making your commitment to privacy demonstrable to third parties ahead of engaging formally in talks.

Our data protection specialists will also provide regular updates to any parties (internal or external) confirming what progress is being made and giving them the confidence that the business is committed to protecting the privacy of the individuals whose personal data you collect and process.

Speak to us today to be sure your business has a privacy programme you be proud of and one that potential third-party investors will be impressed by – with our help, your commitment to data protection becomes a huge selling point and makes your business highly desirable over other companies that have failed to address these crucial issues.

Considering investing, or buying a business?

In the pre-GDPR days, buyers and investors would conduct the necessary due diligence on an organisation. Evidence of data governance and data protection frameworks weren’t a priority.

Compliance with data protection legislation is now a key consideration ahead of investing in an outside organisation – and the ICO has already demonstrated this, much to the frustration of Marriot Hotels…

In 2016, Marriot International bought Starwood Hotels, creating the largest hotel chain in the world. Unfortunately, their due diligence during the buying process was poor and they failed to spot a major data breach within Starwood which affected around 339 million guests. The breach, which dates back to 2014, was only discovered in 2018.

Following an investigation, the ICO issued an “intention to fine” notice of £99m – only the second proposed enforcement under the GDPR – and significantly larger than the £500,000 maximum fine under the previous Data Protection Act 1998.  When they announced the intention to fine, the ICO observed that Marriot had failed to properly review Starwood’s data protection practices and should have done more to secure its systems.

How does this affect you?

As a third party buying into an existing company, you will be responsible for the personal data the business holds – this includes carrying out proper and detailed due diligence when making a corporate acquisition.

Clients who engage with our team of privacy specialists can be confident that our due diligence work is meticulously detailed – we leave no stone unturned in our search for any processes or systems that may suggest a compromise of the GDPR and where there is an undue risk to personal data held by the company.

Our team will:

Conduct a full and detailed review of all 3rd party supplier contracts – In the event of a data breach, the data controller vs data processor relationships must be protected by contract. Many companies simply engage with their usual business lawyers for this, however, they don’t have the required understanding of data protection legislation, so this creates a risk.

Conduct a full and detailed review of all IT systems and processes – To prevent a repeat of the Marriot breach, our IT privacy specialists will ensure all databases are afforded the appropriate levels of protection and there are no suspicious activities around these.

Penetration Testing (Pen-testing) – Our online specialist will conduct pen tests to demonstrate there are no online weaknesses within the business that could put you at risk of hackers.

Records Management/Article 30 – Our records management experts will check there are appropriate filing systems in place for personal data within the business – and all policies reflect the legal basis of all records… they are not just meaningless documents, written once and then forgotten about.

Marketing – If the business conducts outbound marketing, does this satisfy the marketing legislation (Privacy & Electronic Communication Regulation, 2003)? If the business is found to be in breach of this, then the ICO has the power to fine the specific business owner £500,000.

Off the back of this due diligence, we will submit a detailed report on our findings and our recommendations as to remediation in line with the GDPR.

Engaging with PRIVACYHELPER could be your best investment

Our privacy experts are professionals and our report will be our detailed, independent view intended to highlight the risks associated with you if you invest in the specific organisation – this will enable you to make the appropriate decisions based on our findings.

Based on the size of the fine the ICO intend to impose on Marriot Hotels, this independent due diligence could be the most worthwhile exercise you conduct – don’t commit to any investment before you truly understand the risk.

Call our team now – a ten-minute telephone call can usually give you an indication of how robust their privacy programme is – and if your investment will be costly in the long-run, or a sound business decision.

Remember – we understand the sensitive nature of your business investment plans – and for us, discretion is key. We have worked with many household names and respect the confidentiality of every single client.  We never enter into discussions or formal engagements with clients without first signing a Non-Disclosure Agreement with the involved parties.


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.