Certified: The IAPP CIPM Audio Course

In this episode, we’re going to talk about privacy due diligence during mergers and acquisitions, which is one of the fastest ways privacy risk can multiply if it’s not handled early. When two organizations come together, they do not just combine products and people; they combine data, systems, vendors, and habits. That combination can create shared-data risks, meaning risks that arise when data that used to be separate is suddenly viewed as one big pool that everyone wants to use. The urgency of deal timelines makes this even harder, because business teams often want quick answers, not a careful map of data flows and obligations. Privacy management is valuable here because it can surface the risks that are most likely to become expensive surprises after the deal closes, like undisclosed data sharing, unclear consent, excessive retention, weak controls, or cross-border transfer constraints that conflict with the new combined footprint. The goal today is to understand what M&A privacy due diligence is really trying to accomplish, what shared-data risks look like, and how to ask the questions that reveal those risks while there is still time to influence the deal plan. By the end, you should be able to explain why privacy due diligence is not a late-stage legal review, but an early-stage risk discovery process.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A helpful way to frame M&A privacy due diligence is to think of it as answering two big questions. First, what personal data does the target organization have, how did it get it, and what is it allowed to do with it. Second, what will change after the deal, and will those changes create new obligations or violations. The first question is about the target’s current reality: data categories, sources, purposes, retention, sharing, and controls. The second question is about the combined future: integration plans, data sharing across the merged organization, new analytics initiatives, new vendors, new geographic access, and new customer expectations. Shared-data risk is usually found in the gap between those two. A target might lawfully process customer data for providing a service, but the acquiring company might want to use that data for cross-selling, profiling, or combining with its own datasets. If the original notices, consents, and contracts do not support that, the combined plan can create a privacy problem immediately. So M&A privacy due diligence is not only about discovering flaws; it is also about preventing unintended misuse after the transaction.

One of the earliest tasks is scoping the data landscape at a level that is detailed enough to be meaningful but not so detailed that it blocks the deal. You want to identify the major data domains, such as customer data, employee data, marketing data, product telemetry, and vendor data. Within each domain, you want to know the categories of personal data involved, including whether sensitive categories exist and whether data about children is involved. You also want to know the scale, like how many individuals are affected and how long the data has been accumulated. Scale matters because it influences both risk and remediation effort. A small dataset can often be cleaned up or migrated, but a multi-year dataset spread across many systems can create deep retention and access problems. Operationally, this scoping step helps you prioritize, because not every dataset is equally likely to create shared-data risk. You focus first on the data that is most sensitive, most shared, most valuable to the business, or most regulated.

The next major step is understanding the target’s lawful basis and transparency story, meaning why the target believes it can use the data in the ways it currently does. This is where many shared-data risks begin, because M&A changes context. If the target collected data under a promise that it would be used only for a specific service, then combining that data for new purposes can violate expectations, even if the acquiring company sees it as normal business synergy. You want to examine privacy notices, consent language if applicable, customer contracts, and internal policies to see what was communicated and what commitments were made. You also want to understand any opt-out mechanisms and whether they were respected operationally. A mature target can explain how it tracks consent and preferences and how those preferences are enforced. An immature target may have a privacy notice but no operational way to implement its promises, which becomes a risk you inherit. In M&A, inheriting a gap between promises and practice can be more damaging than inheriting a technical vulnerability, because it can affect trust and regulatory exposure.

Shared-data risk also appears through data sharing and third-party relationships that the acquiring company does not initially see. The target may share data with vendors for analytics, marketing, support, or infrastructure, and those relationships may include onward sharing through subprocessors. You need to know who receives the data, what data is shared, for what purpose, and what contractual controls exist. This matters because after the acquisition, the acquiring company may want to consolidate vendors, change platforms, or centralize analytics. Those changes can break contract obligations or create new cross-border transfer constraints. Another risk is shadow sharing, where teams share data informally through exports, emails, or untracked integrations. Due diligence needs to surface whether data sharing is well controlled and documented or whether it is ad hoc. A target with poor documentation may still be lawful today, but the lack of clarity becomes dangerous during integration because it increases the chance that the combined organization will reuse or expose data incorrectly.

Retention and deletion practices are another area where shared-data risk is easy to miss. Acquiring companies often assume they can keep all historical data because it might be valuable later, but that assumption can conflict with the target’s obligations and promises. If the target has retention schedules that require deletion after specific periods, the acquiring company inherits those obligations unless it changes them lawfully and transparently. If the target has weak deletion practices, like keeping data indefinitely in backups and logs, you inherit not only the risk but also the cost to fix it. M&A due diligence should ask where data is stored, how long it is retained, how deletion works in practice, and what exceptions exist. It should also ask how the target handles rights requests, because if the target cannot locate and delete data reliably, integration will make that harder, not easier. Shared-data risk increases when data is retained broadly and for long periods, because integration tends to create more copies and more access pathways.

Security posture is often treated as a separate stream of diligence, but privacy managers should still understand the privacy-relevant parts, especially around access and monitoring. Shared-data risk is not only about lawful use; it is also about whether the combined organization will increase exposure by widening access. After a deal, teams often request access to each other’s systems, and those access expansions can be risky if the target’s access controls are weak. You should ask how access is granted, whether privileged access is logged, whether access reviews occur, and whether least privilege is practiced. You should ask about endpoint controls, because acquisitions often bring in unmanaged devices and inconsistent practices. You should also ask about incident response history and preparedness, because a target that has experienced incidents might carry unresolved weaknesses. Privacy due diligence does not need to run technical tests in this episode, but it should identify whether the target’s controls are mature enough to support integration without creating new confidentiality failures.

Cross-border data location and access is another classic M&A risk because acquisitions often change where data can be accessed from. Even if the target’s data is stored locally, the acquiring company may have global support or engineering teams that will need access, and that can create cross-border access flows. The acquiring company might also want to migrate systems to its own cloud regions, which can shift storage location. Due diligence should therefore ask where the target’s data is stored and processed today, where its vendors are located, and where remote access originates. It should also ask whether the target is subject to any localization requirements or special transfer safeguards. The shared-data risk here is that the combined operating model might violate constraints that the target previously managed through local-only access or region-bound hosting. This is why operational accuracy matters: you need to know what the target actually does, not just what its contracts say. If you discover these constraints after integration begins, you may be forced into expensive redesign or delayed migration.

A key due diligence skill is identifying planned integration uses that could transform lawful data into problematic data. For example, combining customer datasets to create richer profiles might change the fairness and transparency expectations and might require new notices or opt-outs. Sharing employee data across the merged organization might trigger different labor and privacy expectations and might increase internal access risk. Using the target’s product telemetry to train analytics models might be outside the original purpose. Even creating a unified customer identity system can create new risks if identifiers that were separate become linked. Privacy due diligence should therefore not only ask what data exists, but also what the deal team intends to do with it in the first six to twelve months. Shared-data risk is often predictable if you know the integration roadmap. Privacy management helps by translating those business goals into questions about purpose compatibility, minimization, retention changes, and required safeguards.

Because deal timelines are tight, it is important to produce outputs that are actionable and early. That usually means identifying high-risk areas, describing why they are high risk, and recommending practical steps to reduce risk during integration. For example, you might recommend keeping certain datasets separated until permissions and notices are updated. You might recommend limiting access to the target’s systems until logging and access reviews are improved. You might recommend prioritizing remediation of retention and deletion capabilities before migrating data to new platforms. You might recommend contract review for key vendors and subprocessors before consolidating services. The privacy manager’s value is to prevent the organization from treating data integration as a simple technical merge. Data integration is a governance merge, a promise merge, and an obligation merge. When you make that visible early, the organization can plan integration in phases rather than rushing into a risky full merge.

To wrap up, M&A privacy due diligence is about surfacing shared-data risks before the deal closes or before integration decisions become irreversible. You look at what personal data the target has, how it was collected, what promises were made, and what the target is allowed to do today. Then you look at what the combined organization wants to do tomorrow, especially around combining datasets, expanding access, migrating systems, and changing vendors. Shared-data risks appear when purposes shift, when consent and preferences cannot be honored, when retention is unclear, when third-party sharing is messy, when cross-border access changes, and when access controls are not mature enough for a larger organization. Operational accuracy is the key because M&A creates pressure to simplify, and simplification often hides the details that cause privacy failures later. When privacy management performs due diligence early and frames findings in practical integration terms, it protects both the organization and the individuals whose data is involved, and it makes the merger more resilient rather than more fragile.