Designed to enhance regulator-readiness and reduce risk while preserving the value of enterprise data.
Reliance on personal data grows and companies continue to innovate against a backdrop of enhanced privacy regulation, changing consumer privacy expectations, and shareholder demands for profitability. As a result, today’s organizations face a profoundly complicated regulatory, reputational, and operational data privacy risk environment. FTI Consulting’s Information Governance, Privacy and Security team delivers practical business solutions that not only help organizations reduce the risk associated with privacy compliance obligations, but also recognize value in their personal data.
Corporate data privacy priorities
Comprehensive and Integrated Services
How We Think About Privacy
Privacy is not only a regulatory compliance issue, but also a strategic business issue.
FTI believes that while policies, standards, and discrete guidance documents are extremely important, privacy risk and compliance must be action-oriented and fully integrated throughout an organization’s business functions and processes.
With this in mind, we have developed a program framework intended to provide regulatory, reputational and operational risk coverage to clients of all sizes and complexity. The framework serves as a starting point to discuss risk tolerance, program scope, specific program work activities, and high-risk areas requiring extra attention and stakeholder involvement.
We believe that policies, standards, and guidance documents are important, but true data privacy risk management is action-based.
Undefined risk and control ownership, open-ended corporate risk tolerance, and lack of mission are common root causes for lagging data privacy risk management maturity. FTI’s Data Privacy solutions drive clarity, structure, and a position of "regulator-readiness" through an approach that is:
Why FTI for privacy?
Prioritization of Data Value
We work to understand client products and services and develop a strategy that reduces risk around personal data and improves that data’s value by making it more transparent, which enables clients to make more effective business decisions.
Extensive Privacy Regulatory Experience
Our global team is adept at designing and building regulatory requirements across markets (North America, EMEA, APAC). We have field experience building solutions around diverse privacy regulations including GDPR, ePrivacy, EU member state regulations, California Consumer Privacy Act of 2018 (CCPA), HIPAA, HiTECH, GLBA, 23 NYCRR 500, PIPEDA and more.
Strong Technical Expertise
We have wide-ranging experience with diverse data environments, including off-the-shelf and in-house enterprise platforms and applications.
Effective Program Execution
Our team translates high-level requirements into executable project plans and uses an array of workflows to fit the specific parameters of the project - from proven, out-of-the-box methods to custom processes designed specifically for the Corporation’s business model.
Truly Cross Functional Service
We leverage a wide range of global subject matter expertise across FTI Consulting to enhance our Data Privacy service for several specific verticals (technology, financial services, life science, healthcare and others), regions and use cases.
The California Consumer Privacy Act
California’s new data privacy law, The California Consumer Privacy Act of 2018 (CCPA), is ushering in a new era of consumer privacy protections in the U.S. The law took effect on the first of January and, although enforcement will not begin until July, California’s Attorney General has announced that immediate compliance is expected.
The law applies to companies that do business in California and meet one or more of the following: 1) annual gross revenues exceeding $25 million; 2) buy, receive, sell or share the personal information of 50,000 or more California consumers, households or devices; 3) derive 50 percent or more of annual revenues from selling consumers’ personal information.
To ensure regulatory compliance, there are a handful of steps organizations can take to help reduce operational and reputational risk associated with the regulation, including data mapping, updating privacy notices, identifying and documenting personal data "sales" and having a process for responding to data rights requests.
FTI Consulting provides a wide range of CCPA services that assist with these steps. From short, project-based engagements to ongoing managed services, FTI Consulting’s CCPA services are tailored to each organization’s requirements and include:
- CCPA "regulation compliance" assessments
- CCPA program and process implementation
- Privacy risk strategy development and executive advisory support
- Consent and opt-out preference management strategies
- Holistic privacy program maturity benchmarking
- Privacy enabling technology development
- California consumer data identification and mapping
- CCPA training and awareness
- Long-term privacy support and managed service
- CCPA incentive program implementation
- Deterministic and probabilistic ID mapping formation
Data Privacy Managed Services
FTI Consulting offers data privacy managed services to provide day-to-day operational and subject matter support for organizations with a range of needs; including anything from designing and running a full data privacy program, to acting as the organization’s back office privacy staff, to providing strategic cover for certain tasks or at specific times.
Managed Services Offered
The FTI team offers expertise in executing the following responsibilities as part of day-to-day privacy program management or as specific on-call response services:
- Data subject requests response and tracking;
- Data protection impact assessment reviews and escalation;
- Metrics compilation and reporting;
- Breach logging, investigation, and notification support;
- Records inventorying;
- Training and internal communications development;
- Requirements tracking and documentation support;
- Privacy crisis event handling;
- Strategic communications for privacy crisis events.
The General Data Protection Regulation (GDPR) requires many organizations to appoint a Data Protection Officer (DPO) with expert knowledge of data protection law and practices to oversee data privacy risk and compliance. While the requirement is relatively straightforward, its elements can make the DPO role difficult for companies to fill successfully.
Office of the DPO Services
With FTI’s Office of the DPO offering, the FTI team effectively acts as the back-office privacy program for organizations that have an internal DPO but need additional cover for certain tasks or at specific times. At the direction of the internal DPO, the team provides day-to-day back office operational and subject matter support and risk management coordination and oversight activities, while adding an overlay of in-depth risk and compliance oversight to the organization as a whole.
The Information Governance team at Blue Cross Blue Shield North Carolina (BCBSNC) sought to provide greater visibility into corporate data stored on its various networks, as well as on the numerous SharePoint websites within its environment.