When Your Company Is Acquired: Data Privacy Management Tips for Privacy Teams

When a company goes through an acquisition, privacy teams are often asked the same core question: How do we protect personal data while merging systems, teams, and processes?

These practical tips from our community help privacy teams reduce risk, support the business, document efficiently, collaborate with new partners, and stay grounded during an acquisition. 

Note that the guidance below is only applicable after the acquisition deal is officially finalized. For companies in highly regulated sectors (e.g., finance or healthcare), the period between the deal announcement and legal closing can be significant. Until the deal is officially closed, focus instead on reviewing and updating your current privacy documentation, and revisit these steps afterwards.

1. Avoid assumptions and get curious

First 30 days

One of the fastest ways to create privacy risk during an acquisition is assuming you already understand how the other organization handles data. 

Research the other organization’s privacy practice through both documentation and meetings, but don’t limit to just the “official” sources. Focus on how data is collected, processed, stored, shared, and accessed in practice, not just how it is supposed to work on paper. Understanding these realities will help you make better recommendations in later steps. 

Waridah Makena, Global AI & Data Policy Advisor, recommends, “Speak to everyone handling data, especially if they’re the only one handling a process or system.” 

Don’t be surprised if you find answers that disappoint you. David Hale, Chief Privacy Officer & General Counsel, emphasizes assuming good intent throughout the acquisition: “Different teams evolved under different pressures, and different approaches do not indicate competence or lack thereof.”

Be thoughtful of your new work culture: establish open communication early, and avoid talking in terms of “us” and “them.” Build trust by working together as a united team.

• Read external privacy documents (privacy policy, default contract language) 
• Study internal privacy documentation if available
• Meet with privacy, legal, compliance, and security leaders
• Meet with key data, system, and process owners

2. Unify privacy teams & privacy compliance software

First 90 Days

Whether or not you reflect it on your organizational chart, the work ahead will be easier if you combine the efforts of your separate privacy and compliance teams. 

This is also when teams frequently evaluate overlapping vendors, including privacy compliance software. Understand which tools and modules are in use and how they’re perceived by their stakeholders. If no tool is obviously better than the other, plan a formal evaluation process. Reducing duplication without sacrificing execution is critical to showcasing your value to the new and combined organization. 

• Compare roles & responsibilities with the other organization’s privacy, legal, and security leaders
• Create standing team meetings with the other organization’s privacy, legal, and security leaders
• Compare privacy management tools and create a plan to consolidate vendor contracts if possible
• If not possible, identify clear hand-off points between privacy teams and tools

3. Consolidate data mapping for the combined organization

First 90 days

Accurate data mapping supports downstream work like records of processing, DSR fulfillment, and risk assessments, especially when leadership needs quick, reliable answers. 

Creating or updating data maps for the merged organization helps privacy teams identify risks early and navigate integration decisions with more confidence. You may learn that systems with strong risk mitigation measures prior to the acquisition are much riskier once they integrate with the other organization’s data. 

As Jamie Massaro, CIPT, notes, if your team is responsible for Third Party Risk Management (TPRM), you may also use your data map to help inform decisions on which third parties and vendor relationships are maintained versus depreciated. 

• Map systems, vendors, and processing purposes across both entities
• Document which systems contain what data
• Identify and consider system risk when prioritizing systems to integrate
• Review access controls for higher risk systems and ensure access is restricted to sensitive data

When Okta acquired Auth0, they were also able to leverage DataGrail to quickly onboard and approve the organization’s applications, ensuring they were reflected in Okta’s data map and met Okta’s standards for data privacy practices. – Read the case study

4. Prepare early for DSAR Complexity

First 90 days

Data subject requests (“DSRs” including Data Subject Access Requests, “DSARs”) tend to become more complex during system mergers. When personal data lives in multiple environments, response times can slow and accuracy becomes harder to maintain. Meanwhile, news of an acquisition can sometimes incite a temporary increase in privacy request volume.

The conversations you had in step 1 and the data map you revised in step 3 will help inform the strategy, but you should also prepare capacity or automation resources to help you get through the additional lift DSARs may demand.

Long-term, you can also use your DSAR experience to inform setting a standardized data retention policy across the organization. McKena advises reconciling retention schedules, which often differ between organizations. Aligning them helps minimize the footprint of sensitive data, supports defensible deletion practices, and reduces the long-term workload of processing DSARs. 

• Ensure you are fully utilizing automation features in your privacy request management platform
• Allocate staff capacity to supporting DSR volume if needed
• Collaborate with stakeholders across the combined organization to plan and set new data retention policies

5. Confirm the legal basis for data migration & verify cross-border transfers

First 90 days

Large-scale data migration is common during acquisitions, but it is not automatically lawful.

Before personal data is transferred into shared systems or centralized databases, privacy teams should validate that the original legal grounds for collection support the new processing context. If individuals consented to processing under specific terms or limitations that will no longer be applied in a merged system and no other legal grounds apply, it may not be possible to migrate the data. 

Additionally, if personal data will move across borders as part of the acquisition, transfer safeguards such as standard contractual clauses (SCCs), intra-group agreements, adequacy decisions, and regional regulatory differences should be reviewed carefully.

• Compare the terms of service and privacy policies of both companies
• Study collection processes, stated purposes, and disclosures related to any sensitive data
• Identify any data that cannot be immediately migrated
• Plan additional disclosures, notices, and/or assessments to ensure compliance before migrating data
• Review cross-border transfer safeguards, if applicable

6. Harmonize privacy policies, and processes

First 120 days

Massaro points out that most documentation will need to be updated over time, including privacy policies, employee notices, customer-facing notices, DPAs, and subprocessor lists. If branding and practices are unified, policies must reflect the combined organization. 

These documents will often reference other work from earlier in the process. For example, vendor consolidation efforts and merging web domains (and consent preferences) will both have consequences on transparency disclosures. Yet, you may also need interim policies or legal notices sooner than those decisions are made. For example, if re-branding happens quickly or data sharing begins immediately, you will likely need to start early and iterate on each of these documents multiple times as progress is made on system-merging after the acquisition. 

• Map and combine definitions of consent, trackers, and third-parties for accurate disclosure 
• Draft a combined privacy policy
• Revise employee and customer-facing notices
• Create a new Data Processing Agreement template inclusive of a consolidated list of subprocessors

7. Take care of yourself too

Throughout the entire process

Acquisitions are always stressful. Even the best laid plans can be interrupted by a surprise. Don’t let go of your work-life balance and remember that the stress is temporary. 

At the same time, acquisitions often involve consolidation, and privacy teams are not immune. Even after an initial first round of lay-offs, there could be more as further duplication is discovered. As much as an acquisition feels vulnerable, it can also be an opportunity. Privacy teams are desperately needed to ensure an acquisition moves forward without compliance incidents and the early acquisition period can be an ideal time to advocate for yourself, your salary, and your required resources.

Adapting well during an acquisition requires both resilience and practical privacy expertise. Massaro notes that successfully navigating an acquisition is a career builder. 

“This is a great time to demonstrate leadership and ask for a promotion,” Massaro advises. “Showing that you have successfully navigated an acquisition and made meaningful contributions is great for your resume and for interviews.”

Final thoughts

Acquisitions are intimidating and unpredictable, but they are also moments when privacy leadership makes a measurable difference. By grounding decisions in learning, accurate data mapping, and collaborative execution, privacy teams can protect individuals, support the business, and strengthen their own professional standing in the process.

Be sure to join Privacy Roundtable to connect with peers who have been through an acquisition before and support advocating for the next big stage of your career.