When Europe’s General Data Protection Regulation (GDPR) was enacted, many U.S. corporations were suddenly facing data protection requirements far more stringent than any preceding privacy rules.

This was the case for a Houston-based drilling company, which had a significant international footprint, including in Europe, but limited visibility into how its practices were impacted by the new regulation. With an active GDPR compliance program in development, the company engaged FTI Consulting’s Information Governance, Privacy & Security (IGP&S) practice to conduct a readiness assessment and provide a roadmap of additional steps needed to bring the company into full compliance.

Our Role

In partnership with the client’s legal and compliance teams, FTI’s data privacy and information governance experts set out to understand the company’s U.S. and European systems and assess business activities against GDPR requirements. The team interviewed key international and domestic stakeholders and identified the full scope of systems that contained personal information. They also identified the types of data subjects for which the organization was storing information (including customers, investors, job applicants and employees), where that information was retained and how to access it in the event of a data subject access request (DSAR).

With these insights, the team was able to understand the full extent of the client’s privacy footprint and liabilities and develop a data map to guide remediation efforts. FTI also reviewed the client’s existing notice, consent, data sharing and engagement practices and evaluated the breach and incident response capabilities at the client’s datacenters.

FTI then developed a detailed action plan for the client to move forward with updating the compliance program. More than 10 action items, based on GDPR standards and best practices, were outlined, providing a three-year remediation roadmap. Some of the highlights of the plan included:

  • Establishment of a data privacy steering committee
  • Development of privacy policy and notice documents
  • Refresh of data retention and security processes
  • Remediation of data
  • Launch of formal training programs