Why Data Protection Is Critical in Mergers and Acquisitions
Mergers and acquisitions are complex transactions. They require time, resource, commercial planning and strategic alignment. But one area that is often underestimated is data protection.
Personal data can be one of the most valuable assets transferred during a merger or acquisition. Customer databases, employee records, supplier information, marketing lists, contracts, complaints, case files and historic archives may all form part of the transaction.
If this data has not been collected, used, stored or shared lawfully, it can quickly become a major risk. Organisations may acquire personal data that they cannot lawfully use. They may inherit compliance gaps, weak security controls, poor retention practices or unresolved data subject rights issues.
In some cases, this can affect the value of the deal itself.
A well-known example is the ICO’s enforcement action against Marriott. The ICO fined Marriott £18.4 million in relation to a major data breach that originated from Starwood Hotels and affected around 339 million guest records. Although the cyberattack began before Marriott acquired Starwood, the ICO focused on Marriott’s failures following the acquisition, including weaknesses in monitoring, logging and encryption.
This case highlights an important point. Data protection should not be treated as a post-completion issue. It should be built into the full M&A lifecycle, from due diligence through to integration.
How Can Organisations Manage Data Protection Risks During M&A?
Organisations can manage these risks by addressing data protection early, clearly and practically. This means reviewing how personal data is collected, used, shared, stored and protected before, during and after the transaction.
The key areas to consider include:
- Transparency obligations
- Data protection due diligence
- Data sharing agreements
- Employee data and special category data
- Marketing activities
- Lawful basis assessments
- Retention and data minimisation
- Security during integration
Transparency Obligations Under Article 14 UK GDPR
Organisations must carefully consider their transparency obligations during mergers and acquisitions.
Where personal data is shared or obtained indirectly during the transaction process, Article 14 UK GDPR may apply. Article 14 requires organisations to provide individuals with privacy information where their personal data has not been collected directly from them.
This may arise where an acquiring organisation receives customer, employee, supplier or marketing data from the target organisation before or after completion.
Individuals may need to be informed about:
- The identity of the acquiring organisation
- The purposes for which their personal data will be used
- The lawful basis relied upon
- Any new recipients of the data
- Changes to retention periods
- Their rights under UK GDPR
The parties should clearly allocate responsibility for issuing privacy information within the transaction documents. Communications should be timely, clear and accessible.
Data Protection Due Diligence
Data protection should be built into the due diligence process for any prospective acquisition target.
This due diligence must be detailed enough to help the acquiring organisation assess the legal, operational and commercial impact of any data protection risks.
For example, where significant compliance gaps are identified, the acquiring organisation may need to involve privacy professionals before completion. This may include reviewing privacy notices, lawful bases, data sharing arrangements, retention schedules, data subject rights processes and security controls.
In some circumstances, personal data may have been collected unlawfully. If so, the acquiring organisation may not be able to use that data in the way originally anticipated during negotiations.
This can affect:
- The value of the target organisation
- The commercial viability of the transaction
- The cost and complexity of post-completion integration
- The risk of regulatory scrutiny
- The risk of complaints or data subject rights requests
Sellers should be ready to demonstrate compliance through appropriate documentation, policies and evidence of robust technical and organisational measures.
Buyers should request evidence that these controls have been implemented, maintained and followed by employees responsible for processing personal data.
Data Sharing Agreements
An appropriate data sharing agreement should be established where personal data is exchanged between the parties.
The agreement should clearly define the roles and responsibilities of each party. It should also specify the purposes for which personal data may be shared and processed.
A strong data sharing agreement should address:
- Confidentiality requirements
- Security measures
- Retention and data minimisation
- Data subject rights requests
- Restrictions on onward transfers
- Responsibility for transparency information
- Procedures for dealing with breaches
The parties should ensure that personal data is not retained for longer than necessary. Unnecessary or redundant data should be securely deleted or anonymised.
The agreement should also set out clear procedures for handling data subject rights requests, such as access, erasure and objection. This is especially important where systems and responsibilities are being integrated after completion.
A well-structured data sharing agreement supports compliance and helps reduce legal, operational and reputational risks.
Informing Data Subjects After a Transaction
Organisations must consider when data subjects need to be informed about changes to the processing of their personal data.
In most cases, the organisation that originally collected the personal data should provide the initial notification, particularly where it still has the direct relationship with the individuals concerned.
Following completion, the acquiring organisation may also need to issue updated privacy information where there are changes to:
- The identity of the controller
- The purposes of processing
- The way the information will be used
- The way the information will be shared
- The applicable retention periods
The parties should clearly agree who is responsible for these communications. This should be documented as part of the transaction process.
Employee Data and Special Category Data
Mergers and acquisitions often involve the transfer and integration of large volumes of employee information.
This may include:
- Payroll data
- Sickness records
- Occupational health information
- Disciplinary records
- Equality and diversity monitoring information
- Criminal offence or DBS-related information
- Performance records
- HR case files
Some of this information may include special category data or criminal offence data. This requires careful handling under UK GDPR and the Data Protection Act 2018.
Organisations should assess:
- Whether the processing is necessary and proportionate
- Who requires access to the information during integration
- Whether appropriate lawful bases and conditions for processing apply
- Whether retention periods remain appropriate
- Whether access controls and confidentiality measures are sufficient
Employee monitoring activities should also be reviewed during post-acquisition integration. This may include email monitoring, CCTV, call recording, productivity tracking or system access monitoring.
These activities should be transparent, proportionate and properly documented.
Marketing Data After a Merger or Acquisition
Marketing data can be a valuable asset in a transaction, but it can also create significant compliance risk.
After a merger or acquisition, the acquiring organisation should assess whether the lawful basis previously relied upon for direct marketing remains valid.
This is especially important where consent was obtained by the acquired organisation before the change in ownership.
The acquiring organisation should ask:
- Was consent freely given?
- Was it specific and informed?
- Was it broad enough to cover communications from the acquiring organisation?
- Were individuals told their data may be transferred or used by another organisation?
- Have existing opt-outs been respected?
Individuals should be informed of any changes affecting the processing of their personal data. Privacy notices should be updated to identify the acquiring organisation and explain any new marketing purposes.
The acquiring organisation must also comply with electronic marketing rules, including those under PECR. This includes respecting existing opt-outs and marketing preferences.
Inherited marketing databases should be reviewed carefully to ensure the data is accurate, relevant and lawfully usable.
Reviewing the Lawful Basis for Processing
Organisations should not assume that the lawful basis relied upon by the acquired organisation will automatically continue to apply after the transaction.
This is particularly important where the acquiring organisation intends to use the data for new or expanded purposes.
For example, if customer data was originally collected to provide a specific service, it may not automatically be appropriate to use that data for a new marketing campaign, profiling exercise or analytics project.
Organisations should review whether the existing lawful basis remains valid in the post-acquisition environment.
This may involve reassessing:
- Consent
- Legitimate interests
- Contractual necessity
- Legal obligations
- Special category data conditions
- Criminal offence data conditions
Where legitimate interests are relied upon, organisations should consider whether a new Legitimate Interests Assessment is needed.
International Data Transfers
Mergers and acquisitions frequently involve organisations that operate across multiple jurisdictions. As a result, personal data may be transferred internationally during the due diligence process, system integration or ongoing business operations.
Before transferring personal data outside the UK, organisations should establish whether an international transfer is taking place and ensure that appropriate safeguards are in place.
This may include transfers to:
- Parent companies or group organisations located overseas
- Cloud service providers hosting systems outside the UK
- International HR or payroll platforms
- Third-party suppliers supporting the integration process
- Overseas legal advisers, consultants or auditors
Where personal data is transferred internationally, organisations should assess whether the destination benefits from UK adequacy regulations or whether an appropriate transfer mechanism, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, is required.
Organisations should also consider whether a Transfer Risk Assessment is necessary and ensure that any international transfers are reflected within their privacy information and Records of Processing Activities.
International data transfers should form part of the wider due diligence exercise, particularly where the target organisation relies heavily on overseas suppliers or cloud-based infrastructure.
Third-Party Suppliers and Processor Contracts
Many organisations rely on external suppliers to process personal data on their behalf. During a merger or acquisition, these supplier relationships should be reviewed carefully to ensure they continue to meet UK GDPR requirements.
The acquiring organisation should identify all processors and sub-processors involved in handling personal data and review the contractual arrangements already in place.
Organisations should consider:
- Whether Article 28 compliant processor agreements exist
- Whether suppliers continue to provide appropriate security measures
- Whether suppliers process personal data only on documented instructions
- Whether subcontracting arrangements have been authorised appropriately
- Whether supplier due diligence remains current
- Whether supplier contracts require updating following the transaction
Where new suppliers are appointed during integration, organisations should ensure that appropriate contractual safeguards are implemented before personal data is shared.
Supplier risk management should remain an ongoing process after completion, particularly where critical systems or large volumes of personal data are involved.
Records of Processing Activities
Following a merger or acquisition, organisations should review their Records of Processing Activities (ROPAs) to ensure they accurately reflect how personal data is processed across the newly combined organisation.
Business processes often change significantly during integration. Departments may merge, new systems may be introduced and personal data may begin flowing between teams that previously operated independently.
Records of Processing Activities should therefore be updated to reflect:
- New processing activities
- Changes to the purposes of processing
- Updated categories of personal data
- New recipients of personal information
- International transfers
- Revised retention periods
- New security measures
Maintaining accurate Records of Processing Activities helps organisations demonstrate accountability and provides an important foundation for wider compliance activities.
Data Protection Impact Assessments
The integration of systems, technologies and business processes may introduce new risks to the rights and freedoms of individuals. Where this is the case, organisations should consider whether a Data Protection Impact Assessment (DPIA) is required.
A DPIA helps organisations identify privacy risks before new processing begins and allows appropriate controls to be implemented at an early stage.
A DPIA may be appropriate where the merger or acquisition involves:
- Large-scale processing of personal data
- The introduction of new technologies
- Extensive profiling or automated decision making
- Large-scale processing of special category data
- Employee monitoring technologies
- The consolidation of multiple customer databases
Completing a DPIA during integration supports privacy by design and helps organisations demonstrate compliance with UK GDPR.
Cyber Security Due Diligence
Cyber security should be considered alongside legal and financial due diligence during every merger or acquisition. Weak cyber security controls within the target organisation can quickly become the acquiring organisation’s responsibility following completion.
Organisations should therefore assess the maturity of the target’s security framework before the transaction completes.
This review may include:
- Previous personal data breaches or cyber incidents
- Vulnerability management processes
- Patch management procedures
- Penetration testing results
- Access management controls
- Business continuity and disaster recovery arrangements
- Incident response procedures
- Cyber Essentials or ISO 27001 certification
Any weaknesses identified during due diligence should be documented, risk assessed and, where appropriate, addressed as part of the post-completion integration programme.
Artificial Intelligence and Automated Processing
Many organisations now use artificial intelligence tools to support customer service, recruitment, marketing, analytics and internal business operations. During a merger or acquisition, these technologies should be reviewed alongside more traditional data protection considerations.
The acquiring organisation should understand:
- How AI systems process personal data
- Whether automated decision making is taking place
- Whether meaningful human oversight exists
- Whether individuals have been informed appropriately
- Whether appropriate lawful bases have been identified
- Whether suppliers provide sufficient contractual safeguards
Organisations should also review whether personal data inherited through the transaction can lawfully be used to train, improve or develop AI systems. Using personal data for purposes that individuals would not reasonably expect could create compliance risks under UK GDPR.
As organisations increasingly adopt AI technologies, reviewing these systems during mergers and acquisitions is becoming an essential part of effective data protection due diligence.
Retention and Data Minimisation
After a merger or acquisition, organisations should review the personal data they have inherited.
The aim is to ensure that the data is still needed, still accurate and not being kept for longer than necessary.
In many cases, organisations inherit large volumes of old, duplicate or unnecessary information. This can create legal, operational and security risks.
This may include:
- Obsolete records
- Duplicate databases
- Old backups
- Inactive marketing lists
- Former employee records
- Archived files that are no longer required
- Shared drives containing historic personal data
- Old complaint or case files
- Legacy systems that are no longer actively used
If this information is retained without proper review, organisations may increase the risk of:
- Personal data breaches
- Unauthorised access
- Inaccurate information being used
- Longer and more complex Subject Access Requests
- Higher storage and management costs
- Greater exposure in the event of a cyber incident
As part of the integration process, organisations should assess:
- Whether the personal data is still needed
- Whether retention periods remain appropriate
- Whether the information is accurate and up to date
- Whether duplicate records exist across systems
- Whether there is still a lawful basis to retain the information
- Whether access to historic records is appropriately restricted
Particular attention should be given to inherited marketing databases and employee records.
Marketing data should be reviewed to ensure it was collected lawfully, remains accurate and can still be used in line with UK GDPR and PECR requirements. Existing opt-outs and suppression lists should continue to be respected.
Employee records should not automatically be retained indefinitely simply because they have transferred to a new organisation. Retention periods should continue to reflect legal, regulatory and business requirements.
Appropriate data clean-up exercises should be carried out during integration. This may include:
- Deleting obsolete or redundant records
- Removing duplicate information
- Reviewing and updating retention schedules
- Restricting access to historic data
- Securely archiving information that still needs to be retained
- Anonymising information where appropriate
Decisions about retention and deletion should be properly documented as part of the organisation’s wider accountability obligations.
Security During Integration
The integration phase can create heightened security risk.
Systems may be migrated, consolidated, reconfigured or retired. Access permissions may change. Data may move between platforms, suppliers, teams and locations.
During this period, organisations should ensure appropriate technical and organisational measures are in place.
This may include:
- Access controls
- Encryption
- Secure data transfer methods
- Audit logging
- Monitoring
- Role-based access permissions
- Supplier due diligence
- Clear incident response procedures
Personal data should only be accessible on a need-to-know basis.
Organisations should also ensure that integration activity does not weaken existing security controls or create unnecessary exposure.
Data Protection Due Diligence Checklist for Mergers and Acquisitions
Every merger or acquisition is different, but there are a number of core data protection checks that should be completed before, during and after the transaction. The checklist below provides a practical starting point for organisations looking to reduce compliance risk and support a smooth integration.
| Area |
Key Question |
Complete? |
| Due Diligence |
Has a full data protection due diligence review been completed? |
☐ |
| Privacy Notices |
Have transparency obligations under Article 14 UK GDPR been assessed? |
☐ |
| Lawful Basis |
Has every processing activity been reviewed to confirm the lawful basis remains valid? |
☐ |
| Marketing |
Can inherited marketing databases continue to be used lawfully under UK GDPR and PECR? |
☐ |
| Employee Data |
Has special category and criminal offence data been identified and protected appropriately? |
☐ |
| Supplier Contracts |
Have processor agreements and third-party supplier contracts been reviewed? |
☐ |
| International Transfers |
Have all international data transfers been identified and appropriate safeguards implemented? |
☐ |
| Security |
Have technical and organisational security measures been independently assessed? |
☐ |
| Cyber Security |
Have previous cyber incidents, vulnerabilities and security certifications been reviewed? |
☐ |
| Retention |
Has inherited personal data been reviewed against retention schedules and data minimisation requirements? |
☐ |
| Records of Processing |
Have Records of Processing Activities (ROPAs) been updated following integration? |
☐ |
| DPIAs |
Has a Data Protection Impact Assessment been completed where required? |
☐ |
| Data Subject Rights |
Are processes in place to manage Subject Access Requests and other individual rights after the transaction? |
☐ |
| AI and New Technology |
Have AI tools and automated processing activities been reviewed for compliance? |
☐ |
| Governance |
Have accountability documents, policies and staff responsibilities been updated following completion? |
☐ |
Completing these checks before and during integration can help organisations identify compliance gaps early, reduce legal and operational risk, and demonstrate accountability under UK GDPR.
Conclusion
Data protection should be treated as a fundamental part of the mergers and acquisitions lifecycle.
It should not be left until after completion.
From due diligence through to integration, organisations must ensure that personal data is lawfully obtained, properly governed, transparently processed and securely managed in line with UK GDPR and PECR obligations.
By embedding data protection into due diligence, contractual arrangements, transparency obligations, lawful basis reviews, marketing activity, retention decisions and system integration, organisations can reduce risk and support a smoother post-acquisition transition.
Data Protection People can support organisations throughout this process. We can help identify and reduce compliance risks, support due diligence activity, review marketing and transparency obligations, and help implement practical data protection measures throughout the transaction lifecycle.
Planning a merger or acquisition?
Data Protection People can support your organisation with data protection due diligence, supplier reviews, transparency obligations, contract reviews, DPIAs, and post-acquisition integration to help reduce compliance risk throughout the transaction.
Frequently Asked Questions
Does UK GDPR apply during mergers and acquisitions?
Yes. UK GDPR applies whenever personal data is collected, reviewed, shared, transferred or integrated as part of a merger or acquisition. This includes customer data, employee records, supplier information, marketing databases and historic records.
What personal data should be reviewed during M&A due diligence?
Organisations should review all personal data that may transfer as part of the transaction. This may include customer records, employee files, payroll data, supplier information, contracts, complaints, marketing lists, archived data, backups and information held in legacy systems.
Can marketing databases be transferred after an acquisition?
Marketing databases can transfer as part of an acquisition, but the acquiring organisation must assess whether the data can still be used lawfully. This includes reviewing consent, legitimate interests, privacy notices, opt-outs and compliance with PECR.
What is Article 14 UK GDPR in mergers and acquisitions?
Article 14 UK GDPR applies where an organisation receives personal data indirectly, rather than collecting it directly from the individual. In an M&A context, this may require the acquiring organisation to provide privacy information to customers, employees, suppliers or other individuals whose data has been obtained through the transaction.
Why is data protection due diligence important?
Data protection due diligence helps organisations identify legal, operational and security risks before completing a transaction. It can reveal whether personal data has been collected lawfully, whether it can be used as intended and whether any compliance gaps could affect the value or viability of the deal.
Do organisations need a data sharing agreement during M&A?
Where personal data is shared between parties during a transaction, a data sharing agreement should be used to define roles, responsibilities, permitted purposes, security measures, retention rules and processes for handling individual rights requests.
Should employee data be treated differently during an acquisition?
Employee data should be handled carefully because it may include special category data, criminal offence data, sickness records, occupational health information, disciplinary records and payroll information. Access should be limited, lawful bases should be reviewed and retention periods should remain appropriate.
How can Data Protection People help with M&A data protection?
Data Protection People can support organisations with data protection due diligence, privacy notices, supplier reviews, lawful basis assessments, marketing data reviews, DPIAs, ROPAs, data sharing agreements and post-acquisition integration planning.