.png)
Preparing for investor due diligence can feel daunting, especially when privacy enters the conversation. Founders often assume investors expect airtight GDPR compliance, pristine documentation, and zero historical risk.
In reality, that’s not quite how it plays out.
To understand what investors actually ask about privacy - and what really matters - we sat down with three experts who see this process up close:
- Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith
- Rory Gibson, CPTO and Due Diligence Advisor
- Helen Goldberg, Co-Founder and COO at LegalEdge
Across all three conversations, one message came through clearly:
Investors don’t expect perfection, but they do expect awareness, honesty, and sensible risk management.
Below are the five privacy questions that come up most often, what investors are really trying to understand when they ask them, and how to answer with confidence.
Quick links
- “Do you understand what data you process and where it goes?”
- “Have you had any data breaches, and how were they handled?”
- “How do you respond to privacy incidents and issues?”
- “Who owns privacy internally?”
- “Are you compliant with relevant privacy laws?”
- How investors really weigh privacy in a deal
“Do you understand what data you process and where it goes?”
This question isn’t about having perfect documentation or exhaustive data maps. It’s about whether a business has a real understanding of its data footprint, particularly where risk sits.
Across the interviews, both Kayleigh and Rory were clear that investors are looking for awareness, not perfection. And that gaps are expected as companies grow.
From a privacy perspective, Kayleigh explained that this question usually centres on the basics.
.png?width=53&height=53&name=Icons%20(48).png)
“They want to understand what data you process, whether you’re acting as a controller or a processor, what your lawful basis is, and where that data is being transferred.”
— Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith
She noted that international data transfers in particular tend to trigger follow-up questions.
“If data is leaving the UK or Europe, investors will want to know whether that’s been identified and how that’s being managed.”
— Kayleigh Logan-Cleghorn
A large part of this understanding comes down to data sharing and third parties. As businesses scale, tools, vendors, and integrations are often added quickly, and data can start moving in ways teams no longer have full visibility over.
Rory sees this repeatedly during technical due diligence.
“A lot of organisations don’t really know who their sub-processors are, or what’s happening to the data once it leaves them.”
— Rory Gibson, Fractional CPTO & Due Diligence Advisor
In his experience, this lack of visibility is more concerning than minor gaps in documentation.
“Not knowing where your data is and who has access to it, internally and externally — those are usually the big ones.”
— Rory Gibson
.png?width=1792&height=350&name=Blog%20Banners%20(14).png)
How to answer it well
When this question comes up, focus on clarity rather than completeness.
Try to understand the question behind the question. Investors are rarely asking for an exhaustive data map, they’re usually focused on whether you understand your highest-risk data and where it goes.
Start with your highest-risk data. Be ready to explain what personal data you process, why you process it, and where it flows - especially where third parties or international transfers are involved.
The strongest answers tend to come from businesses that already do data mapping in a periodic, systematic way. That means having done the groundwork to map data across the organisation, not just within one team.
If that work hasn’t been done yet, show that you know how you’d approach it. A practical starting point is sitting down with functional leads (engineering, ops, finance) and asking what data they use, why they use it, where it comes from, how it’s shared, and whether it’s deleted - then pulling this into one central view.
If there are gaps, acknowledge them openly. Investors are generally comfortable with areas that are still being worked through, as long as it’s clear you understand where the risks sit and have a plan to keep this information updated over time.
“Have you had any data breaches, and how were they handled?”
This is usually one of the key privacy related questions investors ask, but not because they expect a perfect track record.
Across all three interviews, the message was consistent: breaches themselves are rarely the issue. What matters is how a company responded, whether it learned from the incident, and whether there’s evidence of improvement.
From a legal due diligence perspective, Helen was clear that privacy issues, including breaches, almost never stop deals outright.
“It depends on the impact on the business and its reputation, but it’s something investors understand can happen, so they will want to see how it was handled and that processes etc have been put in place to prevent it from happening again.”
— Helen Goldberg, Co-Founder & COO, LegalEdge
Rory sees this play out regularly during technical and operational due diligence. In his experience, the presence of incidents is far less concerning than the absence of records.
“Most companies have got something. It’s more a question of whether they bother to log that they’ve got something. And if they’re not logging anything, then I start to worry.”
— Rory Gibson, Fractional CPTO & Due Diligence Advisor
“Usually what they want to know is: what breaches have you had, what’s your breach policy, and what lessons have you learned or what are you doing differently now?”
— Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith
How to answer it well
When this question comes up, investors aren’t looking for a breach-free history, they’re looking for evidence of awareness, accountability, and learning.
They don’t expect an empty breach log. In fact, claiming you’ve never had a breach often raises more concern than reassurance, because it suggests incidents aren’t being identified or reported properly.
If you’ve had a breach or incident, the strongest answers are straightforward and specific. Be clear about what happened, how it was identified, who was involved, and what changed as a result.
What matters most is showing that you actively track incidents, document the lessons learned, and implement changes to reduce the likelihood of the same issue happening again.
Having a clear breach log is particularly important. It demonstrates that employees know when and how to report issues, that incidents are assessed consistently, and that learning is actually fed back into how the business operates.
“How do you respond to privacy incidents and issues?”
This is the question investors often ask once they’re comfortable that a business understands its data and has clear ownership in place.
Rather than focusing on past incidents, they’re trying to understand how the organisation responds under pressure, and whether there’s a clear, workable process when something unexpected happens.
From a privacy operations perspective, Kayleigh explained that this is where gaps tend to show up.
“It’s one thing having policies, but it’s another thing knowing what actually happens when there’s a potential issue.”
— Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith
In her experience, it’s important that people across the business know how to raise concerns and what happens next.
“If someone spots something that doesn’t feel right, do they know who to go to? Do they know how to log it? Or does it just get ignored?”
— Kayleigh Logan-Cleghorn
Rory Gibson sees this question play out during technical and operational diligence, often through hypothetical scenarios.
“I’ll often ask people to walk me through what would happen if there was a serious issue tomorrow. Who finds out first, who makes the call, and how it gets escalated.”
— Rory Gibson, Fractional CPTO & Due Diligence Advisor
What concerns him most isn’t the absence of formal processes, but uncertainty.
“If people hesitate or give different answers, that’s usually a sign the process only exists on paper.”
— Rory Gibson
Together, these perspectives highlight what investors are really testing: not whether a business has planned for every outcome, but whether it can respond calmly, consistently, and decisively when something goes wrong.
How to answer it well
When this question comes up, investors are listening for a sensible, well-understood response, not a textbook answer.
Be ready to walk through what would happen if a potential issue or incident was identified.
These steps should all be documented in a clear, accessible incident response plan that’s applicable to your business, regularly updated, ideally tested and accessible to your team.
.png?width=1792&height=350&name=Blog%20Banners%20(12).png)
“Who owns privacy internally?”
This question tends to surface very quickly during due diligence because investors are trying to understand whether privacy responsibility is clear, credible, and workable in practice.
Across the interviews, this was one area where Kayleigh consistently sees companies struggle. Not because they don’t care about privacy, but because ownership hasn’t always been clearly defined as the business has grown.
“You’d be surprised how many times that’s a stumbling point. People don’t actually know who is accountable for privacy internally.”
— Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith
She explained that this lack of clarity can raise questions quickly, particularly when responsibility sits with someone who has competing priorities.
“A CEO acting as the responsible person for data protection is probably a red flag. A Head of IT doing it can be a red flag too, because they’re also making the purchasing decisions.”
— Kayleigh Logan-Cleghorn
In Kayleigh’s experience, investors aren’t looking for a specific job title or a fully built privacy team. What they want to see is that accountability exists, is understood across the business, and doesn’t sit uncomfortably alongside other roles.
“It’s about whether there’s someone who actually owns it, understands it, and can act independently when needed.”
— Kayleigh Logan-Cleghorn
How to answer it well
When this question comes up, the strongest answers are clear and consistent.
Be explicit about who owns privacy today, what their role is, and how they’re supported - whether that’s internally, externally, or both. Avoid vague answers or shared ownership that isn’t clearly defined.
It’s also important to explain how issues are escalated in practice. If someone spots a potential risk or incident, who do they go to? How is that decision recorded? And who has the authority to act?
If responsibility currently sits with someone wearing multiple hats, that’s common at scale-up stage. What matters is acknowledging it openly and showing that the setup is intentional, reviewed, and supported - rather than accidental or invisible.
“Are you compliant with relevant privacy laws?”
This question often comes up during legal due diligence, particularly during fundraising or exit, but it’s rarely asked with the expectation of a perfect answer.
From a legal perspective, Helen explained that investors are usually trying to understand where a company is on its compliance journey, rather than whether every requirement has been met.
“Legal due diligence questionnaires will ask for information about how you’re complying with relevant privacy legislation. But early stage companies aren’t expected to be 100% compliant, so it’s not necessarily an issue if you aren’t, because it’s something that can be improved over time with little impact to the business.”
— Helen Goldberg, Co-Founder & COO, LegalEdge
She contrasted this with other regulatory regimes, where non-compliance can be a real risk to the business.
“The ICO wants to encourage compliance, rather than put companies out of business. This is different to the way other regulators can behave. Although it definitely becomes more important the later stage you are, and also if you’re in a highly sensitive data business (e.g. medtech).”
— Helen Goldberg
How to answer it well
When this question comes up, the strongest answers are honest and proportionate.
Be clear about which privacy obligations apply to your business today, what you’ve already put in place, and what’s still on the roadmap. At early stages, investors are generally comfortable with gaps, as long as they’re recognised and there’s a plan to address them.
Where possible, being able to point to a recent audit or formal review is a strong way to answer this question. Ideally, that audit has been carried out by an external party, as it provides independent reassurance rather than self-assessment.
At Trust Keith, one way this is handled during due diligence is by using a clear scoring system that quantifies a company’s privacy health. This allows investors and other non-privacy experts to quickly understand the maturity of the business, without needing to interpret detailed legal documentation.
Above all, avoid overstating where you are. Investors want a realistic, evidence-based view of your privacy maturity - something they can quickly grasp - rather than claims of full compliance without context or proof.
How investors really weigh privacy in a deal
The extent to which investors scrutinise privacy is largely driven by risk - specifically, how much personal and sensitive data a business processes. The more data you handle, and the more sensitive it is, the more attention privacy will receive during due diligence.
For companies that process limited personal data, privacy questions tend to be lighter and more high level. For data-heavy businesses, however, scrutiny increases significantly, and investors expect teams to be prepared well in advance of any due diligence process.
From a legal and fundraising perspective, Helen Goldberg sees this play out consistently. Privacy is rarely treated as a standalone pass-or-fail issue during a deal, especially when compared to areas like IP ownership, cap tables, or commercial risk.
“Non-compliance with privacy legislation won’t generally stop (or even slow down) a deal in an early stage company that isn’t processing large amounts of sensitive / personal data. More often it’s something investors will say just needs improving over time, post-closing.”
“No start-up or early stage company can, or should, be expected to get everything right and comply with all legislation 100% from the outset, otherwise they’d likely have no money to do anything else. They need to prioritise what’s key early stage. So, what investors really want to see is the culture of good privacy, that you’re trying, and that you’re putting processes in place over time.”
— Helen Goldberg, Co-Founder & COO, LegalEdge
What matters more is how privacy issues are handled over time, and what that signals about the business.
Investors aren’t looking for a spotless history. They want to see that teams learn from mistakes, document what’s happened, and put the right policies and processes in place as the business grows. A strong privacy culture shows up in clear records, well-understood ways of working, and teams who know how to raise and handle issues early.
For founders, that means being proactive rather than reactive: building privacy into day-to-day operations, not just during due diligence. Get that right, and privacy becomes less of a hurdle and more of a signal that your business is ready to scale with confidence.
At Trust Keith, we help scaling businesses prepare for due diligence - putting the right privacy foundations in place early and keeping everything documented through an always-on privacy platform, backed by a dedicated privacy expert. So your team can always answer investor questions with confidence.
.png?width=264&height=66&name=CTAs%20(9).png)