Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
“Due diligence” gets thrown around a lot in business – especially when people talk about buying a company, taking on a big supplier, or bringing in an investor. But what does due diligence actually mean in business, and how do you do it properly as a UK small business owner?
In short, due diligence is the research and checks you carry out before you commit to a deal. It’s how you confirm what you’re being told is accurate, uncover hidden risks, and decide fair terms – so you’re protected from day one.
In this guide, we explain the meaning of due diligence in business under UK law, when to use it, what to check, and how to run an efficient, fit‑for‑purpose process. We’ve also included practical steps and documents that will help you get it right.
What Does Due Diligence Mean In Business?
Due diligence in business means taking “reasonable steps” to verify the facts and risks before you agree to something significant. Think of it as a structured investigation covering legal, financial, operational and compliance issues.
It’s not about catching people out – it’s about making informed decisions. Done well, due diligence gives you leverage to negotiate price and terms, and helps you avoid liabilities you didn’t sign up for.
In the UK, “reasonable steps” depends on context. The more material the decision (e.g. acquiring a company), the deeper you go. For smaller engagements (e.g. onboarding a new supplier), your review can be lighter but still systematic and documented.
Common UK law angles due diligence will touch include:
- Corporate law (Companies Act 2006 – shares, director authority, filings)
- Privacy and data protection (UK GDPR and Data Protection Act 2018)
- Consumer law (Consumer Rights Act 2015, unfair terms, refunds)
- Employment law (right to work, contracts, policies, TUPE risk)
- Anti‑bribery and ethical sourcing (Bribery Act 2010, Modern Slavery Act 2015)
- Health and safety (Health and Safety at Work etc. Act 1974)
- Sector‑specific licences and local regulation (for example, alcohol, food, FCA, council permits)
When Should You Do Due Diligence?
As a small business, you don’t need a 100‑page report for every decision. But you should run proportionate checks whenever a deal could impact your finances, reputation, or compliance. Common scenarios include:
- Buying a business or assets (M&A or asset purchase)
- Bringing in an investor or selling shares
- Signing an exclusive supply or distribution agreement
- Outsourcing critical operations (e.g. fulfilment, IT, payroll)
- Onboarding a large customer with bespoke terms
- Licensing technology or IP critical to your product
- Entering a franchise agreement (as franchisor or franchisee)
Two practical principles:
- Start early – begin high‑level checks before you spend on deep analysis. If you spot deal‑breakers, you can step away quickly.
- Keep it proportionate – tailor the scope to the deal size, industry, and risk profile. Document what you checked and why.
A Practical Due Diligence Checklist (UK)
Use this checklist as a starting point, then add industry‑specific items (for example, food hygiene, FCA authorisation, building safety, or professional accreditation) where relevant.
1) Corporate And Ownership
- Corporate structure and group chart; Companies House filings and accounts
- Directors’ appointments and authority to bind the company
- Share capital, option schemes, and any charges or security interests
- Key governance documents (articles of association and any side letters)
- Shareholder arrangements (for example, a Shareholders Agreement)
2) Financial And Tax
- Audited or management accounts, profit and loss, cashflow forecasts
- Bank statements, debt facilities, and covenants
- Tax filings (VAT, CT, PAYE), HMRC correspondence, arrears or investigations
- Warranties and indemnities requested or offered
3) Commercial Contracts
- Top customer and supplier agreements (pricing, termination, exclusivity, auto‑renewal)
- Any unusual liabilities (minimum spend, take‑or‑pay, liquidated damages)
- Assignment/novation restrictions if the business is being sold
- Standard terms used with customers, such as Terms of Sale or platform terms
4) Data Protection And Cyber
- Data flows, types of personal data, and lawful bases for processing
- Privacy notices and internal policies (for example, a public‑facing Privacy Policy)
- Processor/vendor contracts and a compliant Data Processing Agreement where required
- Security controls, breach logs, and DPIAs for higher‑risk processing
5) Employment And People
- Employee headcount and status (employee, worker, contractor)
- Template and signed agreements (for example, each Employment Contract), handbooks and policies
- Right‑to‑work checks, holiday pay, overtime and Working Time compliance
- Disputes, grievances, or outstanding tribunal claims
- Change‑of‑control and non‑compete restrictions for key staff
6) Intellectual Property
- Ownership of core IP (code, designs, content), assignments from contractors
- Trade mark, design, domain and patent registers and renewals
- Infringement risks – third‑party content, open‑source usage, licensing terms
- Brand strategy (including plans to register a trade mark in the UK)
7) Licences, Compliance And Risk
- Regulatory licences and permits (FCA, environmental, alcohol, health and safety)
- Consumer protection (Consumer Rights Act 2015 – refunds, repairs, transparency)
- Anti‑bribery policies (Bribery Act 2010) and modern slavery statements (if in scope)
- Insurance coverage (employers’ liability, public liability, cyber, professional indemnity)
8) Real Estate And Assets
- Leases, service charges, break rights and dilapidations
- Title to key assets, asset registers, warranties, and maintenance records
- IT and SaaS estates, critical dependencies and exit rights
What Counts As “Enough” Due Diligence?
There isn’t one perfect list. “Enough” is the level of inquiry a reasonable business would do in your shoes. A micro‑acquisition might need two weeks of focused checks; a strategic acquisition might justify a deeper, staged review and external advisors. If a deal is material to your business, it’s wise to scope professional legal due diligence support so nothing critical is missed.
Typical Red Flags To Watch
- Unfiled Companies House changes, missing registers, or undisclosed charges
- Key customer contracts that can be terminated on short notice after a sale
- Data protection non‑compliance (for example, no lawful basis or missing consents)
- Unclear IP ownership (especially contractor‑created code, content or designs)
- Employment status misclassification or unpaid holiday pay/liabilities
- Regulatory breaches or trading without required licences
- Large, unexplained adjustments in management accounts or tax arrears
Red flags don’t always kill a deal – but they should change your price, conditions (for example, warranties/indemnities), or your plan to remediate post‑completion.
How To Run Due Diligence Step‑By‑Step
You don’t need to be a large corporate to do this well. A simple, disciplined process will protect you and keep costs under control.
1) Define Scope And Priorities
- Agree the main risks you’re testing (for example, customer concentration, IP ownership, data compliance)
- Match the depth of review to deal size and timeline – a two‑phase approach often works (high‑level sweep, then deep dives where needed)
2) Put Confidentiality In Place
Before you exchange sensitive information, both sides should sign an NDA. This lets you speak openly and share documents while protecting trade secrets and personal data. Make sure it covers permitted use, non‑disclosure, security, and return or destruction of information.
3) Request A Data Room And Document List
- Provide a tailored request list covering the checklist above
- Ask for a clean, indexed data room so you can track what’s been provided and what’s outstanding
- Set a timetable and agree who answers queries
4) Review, Ask Clarifying Questions, And Sample
- Start with corporate, contracts and financials – issues there can have deal‑breaker implications
- Sample test where volume is high (e.g. review top 10 customers and top 10 suppliers by revenue)
- Raise targeted follow‑up questions; keep a running issues log
5) Assess Legal Compliance And Practical Risks
Map findings to legal duties and practical consequences. For example, if a company handles a lot of customer data without a compliant Privacy Policy or appropriate processor terms, you’re looking at UK GDPR risk and possible ICO complaints – factor that into price, conditions and a remediation plan.
6) Negotiate Protections
- Adjust the price to reflect liabilities or capital investment required post‑completion
- Build in protections (warranties, indemnities, holdbacks/escrow, earn‑outs)
- Add conditions precedent (for example, key customer consents, IP assignments, licence approvals)
7) Document, Decide, And Plan Integration
- Summarise findings in plain English with a “traffic‑light” risk view
- Decide go/no‑go – or renegotiate scope/price based on new information
- Draft a 90‑day plan to close gaps (policies, contract clean‑up, HR compliance)
Legal Documents That Support Due Diligence
Good documents make your due diligence faster and more reliable, both when you’re checking someone else and when investors or buyers review you.
- NDA: A well‑drafted NDA protects confidential information, defines permitted use, and sets consequences for misuse.
- Corporate governance: Clear articles and a robust Shareholders Agreement reduce disputes and clarify decision‑making, pre‑emption, and exits.
- Customer terms: Having up‑to‑date standard terms (for example, Terms of Sale or subscriptions) signals maturity and helps ensure Consumer Rights Act compliance.
- Privacy and data: A compliant public‑facing Privacy Policy and signed Data Processing Agreements with processors show UK GDPR readiness.
- Employment: Signed agreements for each employee (your standard Employment Contract) plus handbooks and policies reduce HR risk.
- IP and brand: Clear IP assignments and plans to register a trade mark reassure buyers and investors that the brand and assets are protected.
If you’re preparing your business for investment or exit, solidifying these documents in advance can significantly smooth the process and help you justify a stronger valuation.
Common Questions About Due Diligence (UK)
Is Due Diligence Legally Required?
There’s no single statute that says “you must do due diligence” before a deal. However, UK directors do have duties under the Companies Act 2006 to act with reasonable care, skill and diligence and to promote the success of the company. Ignoring obvious risks before a major decision can put those duties at risk.
How Long Should Due Diligence Take?
For a small acquisition or major supplier onboarding, 2–4 weeks is common. Larger or more regulated deals may require 6–8 weeks (or more) with staged information releases. The key is to set a realistic timetable and escalate early if documents aren’t forthcoming.
What If I Find Problems?
Problems are normal. The question is how material they are and how expensive they’ll be to fix. You have options: negotiate price, request warranties/indemnities, make specific issues a condition to completion, or walk away if the risk is unacceptable.
What’s The Difference Between Legal, Financial And Technical Due Diligence?
- Legal: Focuses on contracts, compliance, corporate structure, disputes and legal risks
- Financial: Focuses on accounts, revenue quality, cashflow, debt and tax
- Technical/Operational: Focuses on systems, product, processes, and the ability to deliver at scale
Most significant deals involve all three, with specialists collaborating and sharing findings.
How To Make Due Diligence Proportionate (Without Missing The Big Stuff)
It can feel overwhelming at first. The trick is to keep your process lean but effective.
- Use relevance tests. If a check won’t change your decision or price, deprioritise it.
- Start with the “value drivers”. Validate the few things that actually drive the deal (customers, IP, licences, key people).
- Sample intelligently. Don’t read 500 contracts – read the top revenue and high‑risk ones.
- Keep a live risk log. Score issues by impact and likelihood to guide negotiation.
- Bring in experts surgically. Use targeted help for complex areas (data protection, employment, regulated sectors).
Key Takeaways
- Due diligence meaning in business: it’s your structured, “reasonable steps” investigation to verify facts, uncover risks and shape a fair deal.
- Run proportionate checks whenever the decision is material – acquisitions, investors, key suppliers, big customers, or critical outsourcing.
- Cover the core UK areas: corporate records, contracts, finances and tax, data protection, employment, IP, licences, and property/assets.
- Put the basics in place: an NDA before sharing info; then use a tailored request list, an organised data room, and a clear timetable.
- Use findings to adjust price and terms – ask for warranties/indemnities, conditions precedent, or walk away if risk is too high.
- Strong internal legals (Privacy Policy, Employment Contract, Shareholders Agreement, trade mark registration, standard Terms) will speed up reviews when others diligence you.
- If the deal is significant, it’s smart to get targeted legal due diligence support so you don’t miss hidden liabilities.
If you’d like help scoping or running due diligence, or you need documents drafted to support a deal, our team can help. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
