Rohan Massey Authors Checklist on Generative AI Issues when Conducting Data Protection M&A Due Diligence

In The News
July 9, 2026
Attorneys:

Data, privacy & cybersecurity partner Rohan Massey has authored a checklist for LexisNexis for buyers carrying out data protection due diligence as part of a share or asset acquisition of a business that processes personal data through its use, development, or supply of generative AI systems. GenAI systems typically depend on large volumes of data, including personal data, to train and develop their models, which can present substantial compliance challenges under the UK GDPR – particularly around lawful basis, purpose limitation, data minimisation, and AI-specific security risks.

The checklist sets out a structured approach to evaluating a target's UK GDPR compliance across the GenAI lifecycle, covering proprietary and third-party licensed AI systems, cross-border data transfers, contractual arrangements with AI providers, and breach and incident response. It focuses on UK data protection law, though practitioners should also be mindful of the EU AI Act, and is intended to be used alongside due diligence enquiries in other areas including general corporate, intellectual property, information technology, and HR.