A modern guide to help you smash due diligence and win more business.

Successfully (and consistently) passing due diligence = one of your keys 🔑 to achieving break-out growth.

Winning deals with large enterprises, governments, or global conglomerates all require passing the due diligence hurdle. Not to mention the due diligence demanded at larger investment rounds.

In businesses that operate in highly regulated industries, like healthcare and finance, you'll be facing it from day 1. In other industries, like SMB SaaS, it will creep up on you slowly then all at once. You'll probably squeeze through some light due diligence on your charm alone, until your first 'serious' potential customer comes along (cue their compliance team) and you'll have to get your skates on and play catchup to get them across the line, keep them happy, and assure them going forward.

In any case, having to navigate due diligence is inevitable. Passing it successfully time and time again is, sadly, not inevitable. That's why we've put this guide together. 

Without further ado, let's get into the exciting world of due diligence and what you can do to win at it ✅.

What you'll learn.

Why winning due diligence matters.

This may seem pretty obvious. However, I wanted to share a few additional reasons which you may not have thought about...

• Competitive advantage: Your sales experience is typically one of the first touch-points a future customer has of you and your company. If you navigate due diligence well and leave them with a sense of 'they know what they're doing' then you can start off on the best foot. This is very rare which is why it's a great place to excel at and distinguish yourselves from your competitors.
• Build trust: When you're a young startup or scaleup with a limited track record there are plenty of reasons for your prospective partners to turn you down. Nailing the due diligence phase helps build trust quickly and can make up for many shortcomings your company might have - which can often be enough to win.
• Win deals quicker: Too often deals stall at the due diligence phase - which can be especially frustrating when you've just completed the hardest part of aligning in principle to work together. Removing this friction can dramatically increase your deal velocity and improve your bottom line.
• Unlock larger contract values (incl. Government): At some point in your business' life you may go upmarket and compete for larger and larger opportunities. You'll need to be great at smashing the due diligence phase and navigating the armies of compliance, legal, and finance teams to win here. 

What 3rd parties are looking for.

The overriding theme here is that they want you to have your s*** together. But what does that actually mean? 

They'll want to know:

• That it's a priority for you 🔥
  • At a senior leadership level and across the business.
  • You can demonstrate this by evidencing: your data protection rhythm internally, for example, that you have an audit schedule (ie. you run at least an annual data audit of the business); your accountability framework (ie. you have nominated individuals responsible for different elements of your data protection programme); and that you have recurring senior leadership discussions (e.g. that you operate a minuted Data Risk Committee every 6 weeks).

• You have the legal minimums in place (at least) ⚖️
  
  • A decent Privacy Notice; Records of Processing Activities; Data Retention Schedule; Data Protection Impact Assessments (DPIAs) and Legitimate Interest Assessments (LIAs) where appropriate; a Breach and Incident procedure; and a staff training programme.
  • Where appropriate you may need to share full or redacted DPIAs or LIAs as part of due diligence.
  • You will need to share your data protection policies that are built around these minimums to evidence this. For example, a Data Protection Policy and Data Retention Policy.

• You know how to handle a data breach or incident  🆘
  
  • This is data protection 101.
  • There are a number of ways of evidencing this, for example: data breaches is a subject on your staff training schedule; you have an Incident Response Policy and Personal Data Breach Notification Procedure; and you have a named individual who's responsible for managing breaches and incidents.

• You  know (and understand) what you have in place 📚
  
  • Many of the questions asked in a due diligence questionnaire are interlinked so it's important to be consistent with how you talk about the core parts of your business and internal practices. You can set yourself up for success by creating an internal wiki of answers to frequently asked due diligence questions so your team can all sing from the same hymn sheet.
  • Another way to demonstrate that you know and understand what you have in place is how you share your documents with any 3rd parties during due diligence. Adhering to access control best practice (e.g. sharing a time-limited view-only access to a segregated folder that only that party has access to), and sharing documents that clearly adhere to a document management process (ie. a consistent document naming and numbering methodology. For example: TK-1030 Data Retention Policy 1.1  Controlled. [Company Initials]-[Document Number] [Document Name] [Document Version] [Document Classification Type]).

With these basics in place you have at least some room to push back on some of the more onerous requirements. However, it's worth remembering that some contracts will require an independently verified certification, such as ISO 27001 or Cyber Essentials Plus (the UK Government requires Cyber Essentials for any contract with them). If you're unsure where to start with certifications check out Trust Keith's certification solution.

How to pass due diligence.

Our data protection experts have pulled together the top 10 frequently asked due diligence questions and created worked examples to each. You can use these as inspiration to answer them in your own due diligence process. 

The top 10 frequently asked questions:

1. Are you a Controller or Processor?
2. What personal data do you process?
3. What safeguards do you have in place to protect personal data?
4. What safeguards do you have in place for international transfers?
5. Why do you process this personal data, and how do you legally justify it?
6. Do you have a process in place for notifying us of any breach related to your data within 48 hours?
7. Do your members of staff have data protection and/or confidentiality clauses in their employment contracts?
8. Describe the controls that will protect your product's confidentiality, integrity, and availability?
9. Do you conduct Data Protection Impact Assessments for uses of personal data that are likely to result in a high risk to individuals' interests?
10. Do you conduct due diligence on your supply chain and ensure your data protection obligations are being passed down to your suppliers?

Download our worked answers to these questions to see what the best-in-class answers look like 👀.

If you're looking to understand how you'd do in a due diligence process, or what steps you need to take to smash due diligence, it's worth talking to one of our experts. Our experts can create the policies & procedures and provide the support you need to win due diligence. To find out more, you can book in a call now.