Since the GDPR came into force in May 2018, data privacy compliance has become increasingly relevant during M&A transactions throughout the EU. A buyer may ultimately be responsible for the historical data protection law breaches of the target business and for picking-up the costs of dealing with any data security breaches that occurred pre-completion of the transaction, but are not detected until post-completion. Data protection non-compliance can affect both the vendor and the buyer involved in an M&A transaction, as critical breaches (such as those which affect the ability of the buyer to exploit valuable data) can have a substantial impact on the price of the target business. In this article our team, including Rosa Barcelo and Francesca Fellowes, examine why this is the case and highlight some of the key pitfalls to watch out for in Italy. Keep in mind these same issues are relevant throughout the EU.