Data as an asset in corporate transactions: what are businesses really buying?

Data is increasingly being treated as an important business asset in corporate transactions.

Whether a business is being acquired, involved in a merger, seeking investment, or undergoing restructuring, the type and quality of the data it holds can have an impact on valuation, how the deal is negotiated and what happens post‑completion. But data behaves very differently from traditional assets, creating unique challenges for everyone involved in the transaction.

Data isn’t “owned” in the traditional sense, and its use is heavily regulated

Unlike other assets, data can’t be owned outright. Instead, businesses usually hold a bundle of rights to use, process and share it, and those rights are shaped by contracts and statutory obligations. That distinction matters because the key issue in a transaction is not ownership, but whether the seller has the rights to use and transfer the data in the way the buyer expects. UK GDPR and the Data Protection Act 2018 add another layer of complexity by imposing limits on how personal data can be handled. Purpose limitation, lawful basis requirements, transparency obligations and international transfer rules all affect what a buyer can do with the data after completion. If the data can’t be used legally for things like analytics, marketing or integration, its value may be significantly reduced.

In practical terms, this means that even where a dataset exists, the buyer may not actually be able to use it for the commercial purpose they had in mind. If that happens, it can weaken the strategic value of the transaction and have a knock-on effect on valuation.

Key risks for buyers

• Regulatory exposure

One of the main risks for a buyer is regulatory exposure. If the target company has handled personal data unlawfully, the buyer may inherit ICO investigations, potential fines, remedial work and reputational damage. Problems with historic non-compliance do not always come to light straight away and may only emerge after completion, especially where data governance has been poor.

• Limitations on use

Buyers also face limits on how the data can be used, even where data is lawfully held, restrictions may apply to using it for new business purposes, integrating it across group companies, using it for marketing or customer profiling, or transferring it internationally.

• Data quality and integrity

A further issue is data quality and integrity. If datasets are poorly organised, inaccurate or incomplete, that can reduce their practical value and also create compliance risks. In some cases, poor-quality data may end up being more of a liability than a useful asset.

• The importance of robust due diligence

Data-related due diligence is now a key part of corporate transactions. Buyers need to consider whether the target has a lawful basis for its main processing activities, whether appropriate governance documents are in place, whether its datasets are accurate and usable, and whether its cybersecurity arrangements are adequate. They also need to look at any history of data breaches or ICO involvement, how international data transfers are structured, and what the third-party processor agreements say.

This helps buyers assess risk, estimate likely remediation costs and decide whether the valuation or deal structure needs to change.

Cybersecurity failings, such as undisclosed breaches or ransomware incidents, are also something to be considered as a commercial and legal risk as they can expose buyers to regulatory reporting obligations and operational disruption. A company’s data can only be as secure as its systems, so this should be considered in commercial transactions and due diligence investigations.

Contractual protections: where risk is ultimately allocated

Even with strong due diligence, buyers rely on contractual protections to manage residual risk. The most important tools include:

• Warranties on data protection compliance, data quality and lawful processing
• Indemnities for known issues or high‑risk areas
• Disclosure obligations covering data practices, breaches and international transfers

These provisions are now standard in data‑heavy transactions and are often heavily negotiated. Their importance is not to be overlooked.

Conclusion

As businesses rely more on data, the ways in which that data is handled from a legal and commercial perspective is becoming a key part of commercial transactions. It can be a valuable asset, but only where it’s properly managed, lawful and actually usable. In practice, that often comes down to a few simple issues: where the data came from, what consents were obtained, and whether it can realistically be transferred or used by a buyer after completion.

Buyers who treat data with the same level of scrutiny as financial or operational issues are better placed to unlock its value while managing risk, particularly where the target’s business model depends on it. For sellers, getting ahead of the issues and having clear documentation in place can go a long way in improving deal certainty and value, and can also help avoid last‑minute delays when diligence starts to focus on the detail.