For most of the last decade, personal data in an Indian M&A transaction was handled, if at all, as a technology matter buried in a schedule. The Digital Personal Data Protection Act, 2023 has ended that. Data protection compliance is now a source of quantifiable liability, with penalties under the Act reaching up to ₹250 crore for a failure to implement reasonable security safeguards, and that changes where data belongs in a deal. It belongs alongside tax, litigation and title, as a diligence stream that can move price, shift the allocation of risk and, in the sharper cases, determine whether the deal proceeds at all.
The diligence question is no longer whether the target has a privacy policy. It is whether the target actually has a lawful basis for the personal data it holds and monetises. An acquirer needs to understand what personal data the target processes, from whom it was collected and on what notice and consent, whether that consent extends to the uses the business model depends on, how long the data is retained, with which processors and cross-border recipients it is shared, and what breach history sits in the background. A target whose valuation rests on a large data estate assembled without a defensible consent trail is not selling an asset; it is selling a contingent liability dressed as one.
The DPDPA also bears directly on the mechanics of the transfer. Personal data was collected for the purposes the target notified to its data principals, and that purpose limitation does not evaporate because the shares or the business have changed hands. In an asset or business transfer in particular, the acquirer cannot assume it inherits a clean, freely usable dataset; the lawful basis has to be examined, and in some cases notice or fresh consent has to be planned for as a condition of continuing to use the data after closing. This is a point transaction timetables routinely underestimate, because the cost of re-establishing a lawful basis lands after the deal has closed.
These realities have to be written into the transaction documents rather than left to good faith. That means specific representations and warranties on data protection compliance, on the absence of reportable breaches and regulatory correspondence, and on the validity of the consents underpinning the data estate, supported by disclosure schedules that are genuinely tested against the diligence findings. It means indemnities calibrated to the DPDPA penalty exposure rather than to a generic compliance basket, and, where the target processes data at scale, diligence on whether it is or is likely to be designated a Significant Data Fiduciary, with the heavier obligations that status carries. Warranty language drafted for a pre-DPDPA world will not allocate this risk correctly.
The exposure does not end at signing; in integration it often begins. Combining two data estates, migrating systems, and extending the acquirer's processing to the target's data all create fresh processing activities that must themselves rest on a lawful basis. Post-closing integration is where consent mismatches, incompatible retention rules and unmapped data flows surface, and where a poorly planned migration can convert the target's historical non-compliance into the acquirer's present liability. A hundred-day integration plan that treats data protection as an afterthought is a plan to import the very risk the diligence was meant to price.
We approach data in a transaction through our TCL Framework™: the technical reality of what data exists and how it moves, the commercial judgement on how that shapes value, indemnity and integration cost, and the legal precision to lock the position into warranties, conditions and a defensible post-closing basis. Handled this way, data protection stops being the diligence stream everyone discovers late and becomes what it should be, a priced and allocated deal term that protects the buyer long after the money has moved.


