IT Due Diligence Guide

Make an informed technology company investment.

GDPR and IT Due Diligence

If a potential acquisition target does business in the European Union or stores data related to EU-based individuals, it’s important to evaluate the company’s readiness for the EU General Data Protection Regulation (GDPR) during IT due diligence.

In May 2016, the European Union finalized the General Data Protection Regulation (GDPR). It will go into effect in May 2018.

The GDPR is intended to increase the security of the personal data of EU citizens and to create protocols that must be followed by all companies doing business in the EU, regardless of the location in which they operate.

This means, for example, that US companies that offer products and services to individuals in the EU fall under these regulations. Regardless of Brexit, the UK has indicated that it intends to "opt-in" to GDPR.

While large companies around the world have been preparing for GDPR compliance, many smaller companies have probably not even heard of it as of late 2017.

It’s likely that best practices for compliance for smaller business will be a moving target as the implementation date approaches, but here are some things to consider when discussing GDPR with your target company during IT due diligence:

  • All companies processing personal data must obtain consent from the user after first clearly explaining exactly how it will be used. A user agreement or privacy policy without proof of its being read will not suffice.
  • Companies with at least 250 employees or whose business is primarily focused on processing personal data must appoint a "data protection officer" (DPO) whose responsibility is to oversee enforcement of GDPR. This can in theory be either an employee or consultant. Either way, with an already-existing shortage of qualified IT security professionals, creating new demands for these skills will only make it harder to hire and recruit DPOs.
  • The GDPR requires the DPOs at affected companies to perform "privacy impact assessments" to identify and mitigate risks related to the processing of personal data.
  • The GDPR will likely require applications to be redesigned to add data encryption and to reduce collection of unnecessary data.
  • Fines related to noncompliance with the GDPR can be huge – in some cases up to 4% of the company’s prior year worldwide revenue.

If an acquisition target is impacted by GDPR, compliance can potentially be very expensive and these costs should be considered very carefully when it comes to the transaction price and implementation budget.

For more information, see the official EU personal data protection page.

Learn More About the IT Due Diligence Guide

Learn how to properly conduct an IT due diligence project with the IT Due Diligence Guide.

The book provides a detailed explanation of each question on the IT due diligence checklist – why it’s important and what the potential answers can tell you about your acquisition target.

Even more importantly, it explains the right follow-up questions to ask to get the detailed information you need. It also includes questions not on the checklist that should be asked only in person – these can be vital.

It also includes an IT due diligence report template to help you create a due diligence report in a format that will be useful to financial executives, and an IT implementation plan template to get you started on the post-due diligence phase of the deal.

You can see a sample chapter and other supporting content, or click here to purchase the IT Due Diligence Guide.

Learn More About the Book