The Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment was engaged to design, build, and run a global pharmaceutical and medical device company’s data privacy risk and compliance program.

The EU-based client regularly transfers data between its European parent entity and its U.S.-based division for businessrelated analysis and processing. The parent entity sought to implement Binding Corporate Rules (BCRs) to maintain compliance with the General Data Protection Regulation (GDPR) and permit the flow of data from European Economic Area (EEA) countries to non-EEA countries. These BCRs spurred new data privacy requirements for the U.S. group. FTI worked with the U.S. head of privacy to ensure compliance with the new BCRs, so that cross-border data transfer for business purposes, investigations and litigation could continue.

Situation

The client maintains operations across approximately 45 countries and is headquartered in one of Europe’s most stringent jurisdictions for data privacy regulatory enforcement. Its business requires international and intercontinental transmission of sensitive health and clinical data, which could only continue with the implementation of regulator reviewed and approved BCRs. The new rules required substantial time and attention to address, through a robust data privacy framework.

The client’s legal team engaged FTI Technology to conduct a GDPR readiness and maturity assessment, which ultimately identified the need to establish an all-inclusive privacy risk and compliance program for the organization’s U.S. entity.

Our Role

FTI Technology’s data privacy experts began designing a program to incorporate key elements of governance, compliance processes and supporting technologies. A charter was developed to stand up the program and define internal data privacy roles and responsibilities. Numerous standard operating procedures were implemented.

The team developed the client’s data map, privacy impact assessment process, vendor risk management process, incident response process, cookie consent capabilities and data subject rights process. FTI Technology also supported the U.S. legal team in developing a business case for new privacy enabling technology and led the implementation to support the foundational privacy compliance processes and effectively address the U.S. group’s global data privacy obligations. The parent organization performed a followup internal audit to confirm BCR readiness and found full compliance with the impending rules.

FTI Technology is continuing to support the client through the firm’s Privacy Managed Services offering. The team’s hands on experience with the client’s systems and business processes subject matter expertise in the client’s industry and familiarity with key stakeholders has resulted in a scaled, well-equipped and cost-effective privacy team operating at full capacity. The U.S. program is now serving as a model for the rest of the company, demonstrating how sound governance, straightforward process development and technology adoption can provide for efficient compliance with global privacy regulations.

Our Impact

FTI Technology’s privacy experts assessed the U.S.-based privacy gaps and implemented a robust program from the ground up, to bring the client into compliance with its parent company’s requirements and U.S. and international data privacy laws.

Through a strong working partnership, the team helped train and empower the client’s legal team to fulfill its new responsibilities, enable program maturity and drive important internal changes in the company’s procedures.

The potential operational impacts brought on by the GDPR and implementation of the BCRs were averted. The project has allowed for data to flow from the parent company to the U.S. entity with minimal compliance risk.