How GDPR will drive change in M&A cyber due diligence

General Data Protection Regulation (GDPR) is coming into force in May 2018 and will bring about a lot of changes in the way M&A cyber due diligence is conducted.

The main points regarding GDPR include:

  • A maximum fine of up to four per cent of global turnover
  • Some organisations (including public sector bodies or those that qualify through their processing activities) will need to appoint a Data Protection Officer
  • Organisations must maintain an inventory of ‘Personal Information’ and a record of the personal data processing activities they carry out
  • Organisations must report certain privacy breaches to regulators within 72 hours
  • There are clear requirements around monitoring, encryption, anonymisation and availability

How GDPR will drive due diligence change

The points above provide a summary of some of the key changes associated with GDPR. In the context of cyber due diligence, NCC Group predicts the associated risks will drive key behavioural changes in acquirers and investors pre-close.

These behavioural changes will go beyond simply wanting to get warranties from sellers or tick box compliance validation during due diligence.

Instead, we expect to see a deep focus on discovery and validation in a range of strategic and operational risk and security functions due to the increased risk of exposure to regulators, litigation and other punitive responses.

Discovery will be about discovering the unknowns

The discovery activities are expected to increase significantly around latent compromises.

Through compromise assessments, there will be a focus on the discovery of breaches that have already happened but are unknown to the company that is being bought.

The reason for this focus is due to the risk to the acquirer of facing a fine of up to four per cent of global turnover if a breach is subsequently found or happens once they have acquired the organisation because of poor technical or organisational controls. Acquiring a breached company, even with warranties in place, will make potential buyers extremely uneasy.

We also expect that discovery will focus deeply on any known prior compromises, the resultant breaches and the corresponding disclosures made. The expectations around disclosure and candour around such events and the corresponding corrective measures taken will increase substantially.

Validation will be about effectiveness as much as compliance

GDPR will also encourage acquirers to understand the real-world effectiveness of security controls and protective monitoring as opposed to focusing solely on compliance.

This change is in part due to the short term risk presented by a compromise and resulting breach after deal closure and before any integration is complete.

Validation exercises are also expected to look at the completeness and accuracy of personal information inventories, effectiveness of risk management and security operations functions.

In addition, there is the potential for significant costs post-acquisition to bring the new entity up the level required for compliance with GDPR.

Change is happening prior to 2018

NCC Group is already seeing a number of acquirers doing a range of these activities and more when acquiring European firms where previously they may have focused solely of privacy compliance. The legacy of privacy compliance with regards to personal information collection, processing and storage is now seen as the low bar with the other areas outlined here the medium bar.

It is clear that as the problem domain becomes more complex and cyber security becomes a material risk to business that due diligence as known by many in M&A is due for a substantial shake-up.


This is the first in a series of blog posts about our opinions and experiences from working in mergers and acquisitions for clients in both pre and post-close advisory roles. It coincides with the release of our whitepaper: M&A Cyber Security Due Diligence.

Our experience comes from advising on more than 100 deals in the last ten years across the US, Europe, the Middle East and Far East.

Follow the link for more information about NCC Group’s GDPR services:

Published date:  21 February 2017

Written by:  Ollie Whitehouse

comments powered by Disqus

Filter By Service

Filter By Date