How Private Equity Can Legally Share Data Across Portfolio Companies
Private equity firms sit on a strategic goldmine. Across their portfolio companies, they hold aggregated customer data, purchasing behaviour, preferences, demographics that, if shared intelligently, could power personalised cross-brand marketing, improve product targeting, and generate material commercial uplift. The problem is that data subjects gave their information to one brand, not to the entire portfolio. And UK GDPR has something to say about that.
The question is not whether cross-portfolio data sharing is possible. It is. The question is whether it is done lawfully and that turns on structure, governance, and a clear-eyed assessment of legal risk. Drawing on my experience advising on intra-group data sharing frameworks in M&A contexts, this article sets out a practical dual-track model for PE-backed groups looking to unlock the value of their data assets without regulatory exposure.
"The strategic question for any PE-backed group is whether privacy is a compliance cost or a competitive moat. The answer determines which track to take."
The Legal Problem in Plain Terms
Each portfolio company is, in data protection terms, an independent data controller. When Company A shares its customer data with Company B, even under the same PE ownership, that is a disclosure to a third party. It requires a lawful basis. It requires transparency to data subjects. And it must be consistent with the purpose for which the data was originally collected.
Most PE groups have not addressed this at acquisition. Privacy notices across portfolio companies are typically siloed and make no reference to group-level sharing. Legal bases are assumed rather than documented. Retention periods are inconsistent. And there is often no intra-group data sharing agreement in place at all. These are not merely technical gaps, they are ICO enforcement risks and, increasingly, deal risks in secondary transactions.
The starting point for any PE group is an honest compliance audit. The framework that follows assumes that audit has been done and the gaps have been identified.
The Dual-Track Model
There are two approaches to cross-portfolio data sharing, not competing alternatives, but sequential stages of maturity. The Minimalist Approach establishes the legal foundation. The Maximalist Approach builds the commercial architecture on top of it.
Minimalist: Foundation Compliance
Achieve the minimum required to lawfully enable any cross-portfolio data sharing. Baseline legal, organisational, and procedural safeguards.
Maximalist: Strategic Architecture
Build a mature, privacy-aligned ecosystem enabling personalised cross-portfolio marketing supported by advanced privacy-enhancing technologies.
Both tracks are intentionally sequential. Track One is the gateway. Track Two is the destination. Attempting Track Two without Track One in place is a compliance risk and an enforcement liability.
Track One: Building the Legal Foundation
A. CLIENT-FACING CHANGES
Update privacy notices across all portfolio companies. Each company's privacy notice must explicitly disclose that personal data may be shared with other companies in the group for marketing purposes. It must identify recipient entities (or clearly defined categories), and must clarify the nature and expected benefits of cross-portfolio marketing to data subjects. This is not optional, it is a baseline transparency obligation under Articles 13 and 14 UK GDPR.
Conduct a group-level Legitimate Interests Assessment (LIA). Where the group intends to rely on legitimate interests as the legal basis for sharing, a single LIA must assess the aggregated interests of each portfolio company intending to receive or use the data, balanced against the reasonable expectations of data subjects regarding cross-portfolio use. This LIA must be centrally logged and available to all controllers. Where legitimate interests is not appropriate, particularly for personalised or behavioural marketing , granular, brand-specific consent will be required. That is a Track Two exercise.
Standardise data collection descriptions. Each portfolio company should document, for each data category it collects: the specific marketing purposes for which it is used, and the extent to which data will be available to other group companies. This ensures transparency and prepares the technical groundwork for backend alignment.
B. BACKEND ORGANISATIONAL MEASURES
Implement a Portfolio-Level Data Sharing Agreement (DSA). This is the structural backbone of any lawful intra-group sharing arrangement. The DSA must document roles and responsibilities under the controller-controller model, details of data flows, required security measures, retention periods and deletion obligations, procedures for data subject rights, and incident management arrangements. Each portfolio company should adhere to it via a Deed of Adherence — binding the company to the DSA without requiring renegotiation every time a new entity joins the group.
Establish a baseline data minimisation framework. Before any sharing occurs, conduct a high-level assessment of what minimum dataset elements are strictly required to support the proposed marketing use cases. "Nice-to-have" fields should be prohibited from group sharing unless the use case is documented in a shared Records of Processing Activities (RoPA) register.
Introduce shared retention governance. Apply a common retention standard across the group for shared marketing data, with mandatory deletion or re-verification at agreed intervals. This directly addresses storage limitation risk — one of the most commonly overlooked GDPR obligations in PE structures.
Track Two: Building the Strategic Architecture
Once Track One is in place, the group has the legal permission to share data. Track Two addresses how to share it in a way that is commercially powerful, technically robust, and privacy-preserving by design.
A. LEGAL BASIS AND TRANSPARENCY AT SCALE
Develop a portfolio-wide legal basis framework covering direct marketing, cross-portfolio profiling, and personalised recommendations based on purchases from another brand. Re-evaluate legitimate interests versus consent for each activity, particularly those involving behavioural insights or product affinity modelling, where the intrusion on data subjects is higher and the ICO's scrutiny more acute.
Create a single standardised privacy notice model used across the group, with consistent structure, definitions, and terminology, but with modular sections allowing local brand customisation. This eliminates the risk of inconsistent disclosures while maintaining brand identity.
B. TECHNICAL ARCHITECTURE FOR PRIVACY-PRESERVING SHARING
The most sophisticated and legally defensible approach to cross-portfolio data sharing is to avoid pooling raw personal data entirely. Two mechanisms make this possible:
A Secure Data Common Room. A controlled environment enabling participating companies to access or contribute datasets under strict, policy-driven controls. It requires role-based access, strict query monitoring, audit trails, and enforced retention and deletion. Residual risks from centralisation remain, but can be significantly mitigated through appropriate guardrails.
Pseudonymised Token Exchange. Each controller retains its own pseudonymisation key. Companies contribute pseudonymised tokens to a shared matching environment. Aggregation logic is defined centrally and must align to approved marketing use cases. Critically, no controller ever receives raw identifiers from another controller. This model enables personalised cross-brand product recommendations while substantially reducing identity exposure risk.
Both mechanisms should be supported by the deployment of appropriate Privacy-Enhancing Technologies (PETs), assessed and implemented at the portfolio level.
C. GOVERNANCE STRUCTURE
Track Two requires a mature organisational governance layer. This means establishing a central privacy steering committee comprising the DPO, legal counsel, data leads, and marketing leadership from each company, responsible for approving new marketing use cases, overseeing RoPA updates, verifying LIA outputs, and monitoring compliance and risks across the group.
Unified cross-portfolio policies should cover marketing governance, data sharing standards, PET implementation protocols, and incident response procedures. A common annual training curriculum ensures cultural alignment, so that each portfolio company operates not as an isolated entity with conflicting standards, but as part of a coherent, privacy-first ecosystem.
The Strategic Choice Every PE Firm Must Make
THE BOTTOM LINE
Track One provides a compliant foundation. It enables lawful data sharing and protects against regulatory enforcement. It is the minimum viable position for any PE group engaged in, or contemplating, cross-portfolio marketing.
Track Two is a transformational programme. It enables personalised, privacy-preserving marketing at scale across brands; embeds privacy as a genuine competitive differentiator; and ensures long-term scalability and protection of a sensitive, high-value client base. Both tracks can be deployed sequentially, with Track One acting as the gateway to Track Two's commercial capabilities.
The strategic question every PE firm must answer honestly is this: do you treat data privacy as a compliance cost to be managed, or as a value-enhancing asset to be built? The answer determines how much of the commercial opportunity you are actually able to capture.
Practical Steps to Start Now
Audit your privacy notices across all portfolio companies. Identify whether any disclosure is made about group-level sharing. In most cases, none will be. That gap is your first enforcement risk.
Map data flows across the group. Establish what data is currently shared, on what basis, and under what contractual framework. Informal sharing without a DSA is unlawful.
Commission a group-level LIA before any marketing use case goes live. Document it. Log it centrally. Make it available to all controllers in the group.
Draft and implement a Portfolio-Level DSA with Deeds of Adherence. This is the structural backbone. Without it, there is no lawful basis for the sharing architecture.
Assess your marketing use cases honestly against the legitimate interests test. Where LI will not hold, particularly for personalised or behavioural marketing, plan for consent-based mechanisms in your Track Two roadmap.
Evaluate PETs and the Data Common Room model. If cross-brand personalisation is a material commercial objective, the pseudonymised token exchange model offers the most defensible architecture. Engage specialist technical counsel early.
Practitioner note: The views expressed in this article are the author’s own and reflect his personal analysis of the legal and strategic considerations involved in developing intra-group data sharing frameworks. This article is intended as an informational overview for legal, compliance, and commercial audiences and does not constitute legal advice. Readers should seek specialist privacy counsel for their specific circumstances.
