Privacy Due Diligence in M&A
When you buy a business, you buy its privacy liabilities. We explain what a proper privacy audit covers in M&A due diligence and how to protect yourself before you sign.
Table of contents
Share
The Checklist Every Buyer Needs Before They Sign
Data is now one of the most valuable assets in any business acquisition. Customer databases, subscriber lists, health records, financial profiles – these are often central to the commercial case for a deal.
Data also carries risk, particularly when it includes personal information. In Australia, that risk is growing.
Buyers who fail to conduct thorough privacy due diligence are increasingly finding themselves inheriting not just a business, but a breach and the regulatory and financial consequences that come with it. A dedicated privacy audit of the target business, conducted before you sign, is now one of the most important steps any acquirer can take.
The question isn't just 'what personal information does this business hold?' It's 'what liability does that personal information represent?'.
Why Privacy Due Diligence Is Now Non-Negotiable
The Privacy Act 1988 (Cth) does not reset on acquisition. When you buy a business, you take on its privacy governance history, including any past breaches, current OAIC complaints, regulatory exposure and systemic weaknesses.
The $5.8 million penalty against Australian Clinical Labs, arising from a breach in a recently acquired subsidiary, is the clearest warning the market has received. ACL acquired Medlab Pathology months before the breach surfaced. The inherited systems contained the vulnerability. A pre-acquisition privacy audit would very likely have identified it. The acquirer paid the price for not having one.
This is not an isolated risk. Privacy weaknesses in acquired businesses are common. Many businesses have never conducted a formal privacy audit, never completed a privacy impact assessment for their key systems, and operate with policies that are out of date. For a buyer with mature privacy practices, this creates both a risk and, if priced correctly and remediated well, an opportunity.
The Privacy Due Diligence Checklist for Buyers
A thorough privacy due diligence process, ideally conducted with the support of a specialist privacy lawyer, should cover seven areas. Here is the checklist our team works through:
1. Personal Information Inventory
What categories of personal information does the business hold?
How much of it is there, and how many individuals does it relate to?
Does the business hold any sensitive information (e.g. health, criminal, biometric data)?
Where and how is the personal information stored?
Does the business have a current data map or register?
If the target cannot produce a current data map, that itself is a finding. You cannot govern what you cannot see, and neither can they.
2. Collection, use and disclosure
When, how and why was the personal information collected?
Has the business collected more personal information than it needed for its stated purposes?
Are collection notices current and compliant with APP 5?
What does the target currently use the personal information for?
Who is the personal information currently disclosed to?
Collection, use and disclosure is the core of privacy governance. Every business should be able to explain what personal information they have, what they use it for and who they disclose it to.
3. Privacy Policies, Documentation and Privacy Impact Assessments
Is the public privacy policy current and accurate?
Are internal privacy procedures documented and followed in practice?
Are data retention schedules defined and enforced?
Have privacy impact assessments been conducted for major systems, products or processes?
The presence or absence of documented privacy impact assessments is a meaningful indicator of governance maturity. A business that has conducted PIAs for its key data initiatives has thought carefully about privacy risk. One that has never conducted a privacy impact assessment is more likely to be carrying undiscovered exposure.
4. Breach History
Has the business experienced any data breaches in the past three years?
Were any breaches notified to the OAIC under the Notifiable Data Breaches scheme?
Are there any outstanding OAIC investigations or complaints?
What remediation was undertaken following past incidents?
Breach history is not necessarily a deal-breaker, but it must be disclosed and factored into your risk assessment. Undisclosed breaches discovered post-completion are a far more serious problem.
5. Third-Party and Vendor Risk
Who are the key vendors and service providers with access to personal information?
Do vendor contracts include appropriate privacy obligations?
Are any overseas transfers of personal information occurring?
Does the business have a process for ongoing vendor privacy risk management?
Supply chain privacy risk is one of the most commonly underestimated issues in M&A. A full privacy audit should include a review of the target's top vendors, not just its own practices.
6. Employee and HR Data
How does the business manage employee personal information?
Are HR systems compliant with the Privacy Act?
Is there a policy for handling employee health, disciplinary or surveillance records?
The employee records exemption does not exclude employee personal information from the situation. The exemption is very narrowly defined and explicitly only applies to personal information already held, i.e. post collection, and personal information that is directly related to the employment relationship.
7. Technology and Security
What technical controls protect personal information?
When were security systems last tested or audited?
Are there known vulnerabilities in inherited systems?
Does the business have a documented incident response plan?
Even where a separate cybersecurity review is occurring, your privacy audit should assess technology through a privacy lens: not just whether systems are secure, but whether the data being held in those systems should be held at all, and whether the controls are commensurate with the sensitivity of the information.
How to Price Privacy Risk Into a Deal
Once your privacy audit gives you a picture of the target's privacy maturity, you need to translate that into deal terms. An experienced privacy lawyer can help you structure appropriate protections. Options include:
Warranties and indemnities: Require the seller to warrant compliance with privacy law and that there are no undisclosed breaches or investigations. Include an indemnity for post-completion claims arising from pre-completion conduct.
Price adjustment: If due diligence reveals systemic weaknesses, factor in the cost of remediation. A business requiring a full privacy program rebuild has a different value than one with mature governance in place.
Escrow: For higher-risk acquisitions, consider holding a portion of the purchase price in escrow pending resolution of identified privacy risks.
Conditions precedent: In some cases, make completion conditional on the seller completing specific remediation steps before settlement.
What Sellers Should Know
If you are preparing a business for sale, your privacy posture now directly affects your negotiating position. Sophisticated buyers and their privacy lawyers are scrutinising this more carefully than ever. A clean privacy audit, documented governance, completed privacy impact assessments for key systems, and no breach history all strengthen your position and can support a higher valuation.
Conversely, a patchwork of outdated policies, undisclosed incidents and vendor contracts with no privacy clauses will invite a price reduction, escrow demands, or both.
Investing in privacy remediation before a sale process – getting a privacy audit done, fixing the gaps, and documenting the work – is increasingly sound pre-sale strategy, not just legal housekeeping.
Treat privacy due diligence the same way you treat financial due diligence. The liabilities are just as real.
After You Close: The First Six Months
Day one of a new acquisition should include a prioritised remediation plan for any gaps identified in your pre-completion privacy audit. Do not allow inherited systems and practices to continue unchecked. The longer a privacy weakness persists post-acquisition, the harder it is to argue it was an inherited problem rather than yours.
Conduct a follow-up privacy audit of the acquired business within the first six months. Document what you found, what you are fixing and your timeline. This positions you well if a historic breach surfaces post-completion and it demonstrates to regulators the proactive oversight they expect from responsible data custodians. In Australia, that documented diligence is increasingly the difference between a regulatory investigation that resolves quickly and one that does not.
Working With a Privacy Lawyer on M&A Due Diligence
Privacy due diligence in M&A sits at the intersection of corporate law, regulatory compliance and data governance. It is a specialist area and one where the cost of getting it wrong, as Australian Clinical Labs discovered, can dramatically exceed the cost of getting proper advice upfront.
Whether you are a buyer wanting to understand what you are acquiring, a seller wanting to present your business in the strongest possible light, or a board wanting to ensure post-acquisition integration is handled correctly, working with an experienced privacy lawyer is the right starting point. Our team in Melbourne works with acquirers and vendors across Australia to structure privacy due diligence that is proportionate, practical and genuinely protective.
