IT due diligence for US companies acquiring UK businesses

What US acquirers typically miss in UK IT assessments

The common assumption is that a UK business runs on broadly the same technology stack as a US one, so the IT due diligence process is largely transferable. In practice, there are several UK-specific items that US teams don't know to look for – and that don't surface unless someone asks the right questions.

GDPR compliance posture. The UK retained GDPR as domestic law after Brexit (known as UK GDPR). It operates separately from EU GDPR. A US acquirer absorbing a UK business may find itself with dual GDPR obligations – UK GDPR for UK data subjects and, if the target has European customers or operations, EU GDPR as well. Neither should be assessed by a US legal team without UK data protection input.

UK connectivity infrastructure. The UK broadband and leased line market is structured around Openreach, BT's infrastructure arm, which owns most of the physical network. Lead times for new leased line installations are typically 60–90 days. Any post-acquisition site consolidation or WAN redesign needs to account for that – you can't provision UK connectivity on a US timeline.

Data residency expectations. Some UK customers, particularly in regulated sectors, expect their data to remain in UK or EU data centres. Migrating workloads to US infrastructure without a contractual and compliance review risks breaching customer agreements and UK GDPR transfer obligations.

Cyber Essentials certification. Many UK businesses – particularly those supplying central government or public sector organisations – hold Cyber Essentials or Cyber Essentials Plus certification. This certification is tied to the legal entity. It lapses when the entity changes at acquisition. If government contracts require it, the acquiring entity needs to recertify promptly.

GDPR and UK data protection: the specific obligations for US acquirers

UK GDPR – retained EU law post-Brexit, maintained by the UK Information Commissioner's Office (ICO) – applies to any organisation processing personal data about UK residents. A US acquirer that absorbs a UK business into its US operations doesn't step outside UK GDPR's reach. It becomes a data controller under UK GDPR for the UK business's data subjects and takes on the associated obligations.

The key issues to assess before close:

• Lawful basis for transfers from UK to US. Transferring UK personal data to the US requires a valid transfer mechanism. The UK–US data bridge (formally the UK Extension to the EU–US Data Privacy Framework) covers this, but the US organisation must be certified. If the acquirer isn't certified, transfers need to be covered by alternative mechanisms such as International Data Transfer Agreements (IDTAs).
• Data processing agreements. The target's contracts with UK suppliers and customers may include data processing clauses that reference a specific legal entity. These need to be reviewed to understand what survives the acquisition and what needs to be renegotiated.
• Data retention and deletion policies. UK GDPR requires personal data to be retained only as long as necessary. If the target hasn't maintained compliant retention schedules, the acquirer inherits that liability. ICO enforcement actions for retention failures are not uncommon.
• The data map. Before any system migration or consolidation, you need to know what personal data the target holds, where it lives and what the legal basis for processing is. Without that map, every integration decision involving data carries compliance risk.

A US acquirer that merges UK customer or employee data into US systems without addressing transfer mechanisms and processing agreements is creating an ICO enforcement risk on day one of ownership.

UK connectivity infrastructure: what to assess and why it matters

The UK telecoms market looks similar to the US from the outside but operates very differently. Openreach owns most of the physical infrastructure – the ducts, fibres and cabinets that connect premises to the network. Most business ISPs are resellers of Openreach capacity. That structural dependency has direct implications for lead times and fault resolution.

Key items to include in the connectivity assessment:

• Current connectivity grades and actual usage. Is the business on appropriate-grade connectivity for its workload? Broadband-grade circuits in a business running cloud-hosted applications or VoIP at scale are a common finding – and a remediation cost that needs to factor into post-acquisition planning.
• Leased line lead times. New leased line installations through Openreach typically take 60–90 days. If post-acquisition plans involve moving offices, consolidating sites or establishing new WAN connections, that timeline needs to be built into the integration plan from day one – not discovered when the move date is already set.
• Contract terms and notice periods. UK ISP contracts frequently run 12–36 months with substantial early termination charges. Assess when contracts expire, what the exit provisions are and whether any circuits will become redundant under the integration plan.
• MPLS and private WAN connections. If the target operates multi-site and uses MPLS or private WAN circuits to connect locations, understand the contract structure before assuming those can be easily changed or terminated. These are often long-term agreements with specific termination windows.

Connectivity planning is one of the areas where US acquirers most consistently underestimate timelines. The assumption that circuits can be provisioned, rerouted or cancelled on short notice reflects the US market, not the UK one.

UK-specific compliance and certifications

Cyber Essentials. Cyber Essentials is a UK government-backed certification scheme covering five basic security controls: firewalls, secure configuration, user access control, malware protection and patch management. Many UK businesses – particularly SMEs supplying government, NHS or local authority contracts – hold this certification because their customers require it. The certification is tied to the legal entity. When that entity changes at acquisition, the certification lapses. The acquiring entity needs to apply in its own name, and the recertification process takes time. Any government contracts that require live certification create a compliance gap during this period.

FCA-regulated activities. If the target is authorised by the Financial Conduct Authority, the IT systems supporting its regulated activities are subject to FCA operational resilience requirements – including obligations around important business services, impact tolerances and recovery capabilities. These don't disappear at acquisition; they follow the regulated activity. Any post-acquisition IT changes affecting systems that support regulated functions need to be assessed for FCA notification and compliance implications.

Employee data under UK GDPR. UK employment law creates specific obligations around employee personal data – payroll records, performance data, HR files, absence records. Migrating these to US HR or payroll systems requires a valid transfer mechanism and careful handling of consent and legitimate interest bases. UK employees also have Subject Access Request rights that the new owner must be able to fulfil from day one.

Legacy infrastructure and technical debt in UK SMEs

UK SMEs frequently carry more on-premise infrastructure than comparable US businesses. This reflects both slower cloud adoption rates and longer enterprise contract cycles – UK businesses tend to run hardware and software to end of life rather than upgrading on a scheduled cycle. What this means in practice:

• Server rooms in leased premises. On-premise servers are common in UK SMEs. Key questions: is the hardware owned outright or subject to a finance agreement? What happens to it at lease expiry? Is the hardware documented, maintained and within warranty, or has it been running unmanaged for years?
• UK-specific line-of-business applications. Some UK business software has no direct US equivalent. Sage 50 (accounting), Sage Payroll and similar products are deeply embedded in UK SME finance functions and handle UK-specific requirements – VAT returns via Making Tax Digital, PAYE and National Insurance calculations. Migrating to US equivalents isn't straightforward and requires UK-specific configuration or replacement with UK-capable software.
• Legacy applications with local support only. Bespoke or legacy systems with support contracted to a small UK-based developer or consultant carry concentration risk. If that person or firm isn't available post-acquisition, there may be no viable support path.
• IT support contracts. Managed service agreements don't automatically transfer on acquisition. Many contain change-of-control provisions that give the MSP the right to reprice or terminate. Assess what IT support the target relies on, whether those contracts are transferable and what the exit provisions look like.

Building the IT due diligence workstream

For a US acquirer buying a UK target, the IT due diligence workstream needs to be designed for UK conditions – not adapted from a US framework at the last minute. UK infrastructure, compliance and vendor relationships require local knowledge that most US IT teams and advisers won't have.

Engage UK-based IT due diligence support alongside your financial and legal advisers. The assessment should cover:

• IT asset inventory – hardware, software licences, SaaS subscriptions, support contracts and their renewal dates
• Data map – what personal data is held, where it's stored, the legal basis for processing and any existing transfer mechanisms
• Connectivity contracts – circuit grades, contract terms, notice periods, lead times for changes
• Compliance certifications – Cyber Essentials status, FCA obligations, any sector-specific certifications
• IT support arrangements – in-house, outsourced MSP or a mix; transferability of contracts; key-person dependencies
• Integration risk register – a structured assessment of what breaks, lapses or creates liability at transaction close

The output should give you three things: a clear picture of Day 1 continuity risks (what needs to be addressed at or immediately after close), a 90-day integration priority list and a realistic view of the 12-month IT roadmap implications. That's the difference between an integration that proceeds to plan and one that consumes management time and budget well beyond what the deal model assumed.