Case Study
FTI Technology Delivers Data Privacy Programme for Public Agency in the Kingdom of Saudi Arabia
A public sector body in the Kingdom of Saudi Arabia needed to build and implement a data privacy programme to fulfil its regulatory remit. The organisation engaged FTI Technology’s Information Governance, Privacy & Security experts to develop the privacy framework by an impending deadline under the country’s Personal Data Protection Law (PDPL).
Situation
The organisation had a newly established a data management team in place; the team’s remit included managing data privacy compliance. However, no data privacy measures or processes existed within the agency. With the PDPL compliance deadline rapidly approaching, the client required a significant level of support to achieve its project objectives on time.
In an initial assessment, a range of privacy risk areas were identified, including a siloed vendor risk management process that did not sufficiently address data privacy and security exposures and an insufficient breach management process. The client also did not have strong access models in place for its key systems and lacked a process to monitor third-party access to its systems.
Additionally, the organisation recognised the value of deploying a data privacy management tool to operationalise and streamline compliance. It requested FTI Technology’s help with selecting, implementing and configuring a tool that would effectively support data privacy needs.
Our Role
FTI Technology’s experts were quickly deployed on site to meet with business teams and understand the full picture of their existing data practices. This included a close assessment of how the organisation was processing personal data and how those activities mapped to or contrasted with current compliance requirements and other data risk areas.
Upon identifying the existing exposures and presenting them to the client, FTI Technology worked closely with the data management team to proceed with urgent remediation measures to close risk and gaps.
In addition to supporting the client in creating critical data privacy documentation, including a record of processing activity, policies, procedures and training materials, FTI Technology assisted the client in ensuring privacy by design and data minimisation were implemented in new core systems. A new data breach policy and plan were also developed and FTI Technology conducted a table-top exercise with the client to test its readiness to follow the new response plan in the event of an incident.
As the data management team was a new function within the organisation, introducing data privacy governance was crucial for the successful implementation of the new measures. FTI Technology supported the appointment of a data privacy officer and a data privacy champion network and developed a detailed reporting process to track and manage key performance indicators and key risk indicators to support ongoing measurement and improvement of the programme.
Our Impact
FTI Technology helped to transform the client from an organisation with little data privacy maturity to an organisation that was able to track the efficacy of its processes. The client was enabled to provide employees with a broad range of materials to support privacy compliance in day-to-day activities.
To further help reduce the compliance burden on employees, FTI Technology implemented and configured OneTrust for the organisation and deployed automated risk flagging to streamline the risk review process, reducing the burden on the internal team.