Topics
Data Privacy Resources
Blog Post
Q&A: Jack Fletcher Discusses Looming Data Privacy Deadlines in Saudi Arabia
The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the country’s Personal Data Protection Law (PDPL) in September 2024. In this Q&A, Jack Fletcher, an FTI Technology privacy expert in the Middle East region, shares his perspectives on the current state of readiness among most organisations in the Kingdom of Saudi Arabia.
Video
In 2024, legal departments are navigating a landscape marked by heightened attention to data-driven regulations, privacy obligations, disruptive technologies such as AI, and rapid technological progress. Additionally, the proliferation of emerging data sources further complicates resource allocation and priority setting for these departments. For the fifth consecutive year, FTI Technology and Relativity partnered to commission Ari Kaplan Advisors to survey global corporate chief legal officers. These efforts resulted in The General Counsel Report 2024. This focus on only chief legal officers gives the report a unique perspective.
Blog Post
Our team recently shared insights on the impending changes to Canadian privacy law. While the changes remain in committee within Canadian Parliament, they continue to be important developments for organizations to watch and prepare for the implications of their passage.
Blog Post
The Disarray of U.S. Data Privacy and Protection Laws: History Repeats
The broad variation in state privacy and data regulations is leading to more challenges for privacy and data protection professionals; obligations are growing and it is going to become more costly for businesses that are engaged in interstate or global commerce to maintain compliance.
Video
Organizations today face a profoundly complex regulatory, reputational, and operational data privacy risk environment. Businesses are now expected to innovate against an ever-shifting backdrop of evolving privacy regulations and consumer privacy expectations, just as the volume and types of business data continues to grow at breakneck speed.
Case Study
A global corporation headquartered in Europe experienced a data incident with potential exposure of sensitive and personal information. With multiple global regulators on alert for privacy breaches, FTI Technology helped the client assess large volumes of data to quickly understand the extent of the data exposure and support the notification process.
Video
Adapting to New Data Privacy Laws
In honor of Data Privacy Day, Gino Bello shares how FTI Consulting is supporting clients to adapt to new data privacy laws and navigate challenges related to the transfer and management of diverse types of data in forensic collection.
Blog Post
Rising to the Challenge: Mastering Data Breach Response Amid Ransomware
Corporate ransomware threats have increased in frequency and severity in recent years. Accordingly, ransomware attacks are changing too. To place these developments in context, and to offer recommendations to organisations facing operational and technical challenges in responding to data breaches, FTI Consulting’s Sonia Cheng and David Dunn participated in a panel discussion as part of the International Association of Privacy Professionals (IAPP) Data Protection Congress 2023.
Blog Post
ISO 31700: A New Standard for Operationalising Privacy by Design
When the International Standards Organisation (ISO) published the new standard ISO 31700 earlier this year, it established a clearer set of practical guidelines for effective Privacy by Design (PbD) programmes. PbD, a hallmark of data privacy best practice, is an approach built upon seven guiding principles that aim to employ a privacy-first attitude, whereby privacy is seamlessly integrated into products, services and system designs by default. While the previous PbD principles provided a foundation, they lacked clear rules, methodologies and use-case examples for how to apply PbD in practice, leaving many organisations uncertain about how to employ an effective approach. ISO 31700 is intended to remedy that.
Blog Post
What the PCPD’s Data Breach Guidance Means for Impacted Organizations
Due to the frequency, sophistication, and severity of cyber attacks, coupled with data privacy concerns, proper cybersecurity protections and programs, including a data breach response plan, are critical to mitigate cyber and privacy risks and maintain business operations.
Blog Post
Canadian Parliament is expected to be nearing the passage of the Digital Charter Implementation Act (Bill C-27) and the Critical Cyber Systems Protection Act (Bill C-26), laws that would simultaneously strengthen data privacy and data protection requirements in Canada and replace or amend other existing regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA).
Blog Post
Data Privacy for Financial Services Organisations in Saudi Arabia: The Countdown to Compliance
In July 2023, Implementing Regulations to support the Kingdom of Saudi Arabia’s Personal Data Protection Regulation (PDPL) were released and subject to a one-month consultation period. The Implementing Regulations supplement recent amendments to the PDPL, which were approved in March 2023, and together these signal close alignment with the European Union’s General Data Protection Regulation (GDPR). Key principles to that end include similar adequacy and data transfer mechanisms, breach notification timelines and the introduction of a legitimate interest basis for processing personal data.
Blog Post
Breaking Down Washington State’s My Health, My Data Act
The panorama of data privacy regulation in the U.S. has changed yet again, adding further complexity to the development and maintenance of compliant data policies and practices. Just this spring, Washington state enacted a rigorous, consent-driven law protecting personal health information. The My Health My Data Act (MHMDA) aims to prevent regulated entities from sharing protected health information without proper consumer permission or an established necessity.
Blog Post
Navigating the Impact of the EU-U.S. Data Privacy Framework
The long-awaited EU-U.S. Data Privacy Framework, a replacement for the former Privacy Shield agreement, has arrived. With it, organizations expect a more accessible and straightforward legal basis for conducting trans-Atlantic data flows. While this is a step in the direction toward streamlining sharing of data across borders, the reality of the framework’s requirements will continue to hold a high standard for data protections among organizations in Europe and the U.S (note, extensions for U.K. and Switzerland are pending).
Blog Post
Examining ESG Risk Part 3: Taking Action Through Data and Technology
In this series on the role of data in Environmental Social and Governance and its intersection with compliance, Al Park, Senior Managing Director and Risk & Compliance practice leader for FTI Technology, has engaged in discussion with domain experts across FTI Consulting. The series has covered some of the risks that arise when organizations overlook data in their ESG strategies and the fundamentals of measuring, managing, monitoring, improving and reporting ESG activities. In this final installment, Al joins colleagues Jake Frazier, Drew Sheehan and Steve McNew to take a closer look at some of the specific ways they are helping clients leverage data to reach their ESG objectives and requirements.
Video
What AI Can Learn from Privacy: Recommendations for AI Governance
FTI Consulting Senior Managing Director, Nina Bryant, joined IAPP Principal Researcher, Katharina Koerner, CIPP/US to discuss findings from the IAPP report on responsible AI and privacy. This webcast covers:
Blog Post
Redefining Data Protection in the UK
Less than three months following the European Commission’s Adequacy Decision concerning the protection of personal data by the UK under the EU General Data Protection Regulation (“GDPR”), the UK launched a proposal for significant reform of the national data protection regime. Following a period of regulatory uncertainty, businesses are seeing important steps towards clarity in the form of the draft Data Protection and Digital Information Bill. The bill aims to “boost British business, protect consumers and seize the benefits of Brexit” through several changes to the current regime.
Blog Post
A New Era of Risk Part 2: Data Privacy Across the Enterprise
This blog series discusses research and trends across the spectrum of Digital Insights & Risk Management. Part 1 in the series, by Sophie Ross, defined the concept of digital risk and shared a state of the industry across the big picture of this problem space. This post discusses the findings relating to data privacy, and how data privacy has become a central risk focus across nearly every organization.
Case Study
FTI Technology Enables Privacy Transformation for Fortune 50 Drug & Food Retailer
National supermarket retailer engages FTI Technology’s Information Governance, Privacy & Security (IGP&S) practice for comprehensive privacy program transformation, technology implementation and enhanced automation.
Video
Findings From the Report on Responsible AI and Privacy Governance
FTI Consulting Senior Managing Director, Jake Frazier, joined IAPP Principal Researcher, Katharina Koerner, CIPP/US to discuss findings from the IAPP report on responsible AI and privacy. This webcast covers:
Blog Post
A Guide to Productive Data Spring Cleaning
Like it or not, spring cleaning season has arrived. Whether you’re the type to declutter your closets like Marie Kondo or are more likely to tidy a few shelves and call it a day, it’s important to remember that your organisation’s data is also likely due for a thorough clearing out.
Blog Post
Critical Data Breach Preparedness to Implement Now
A data breach can happen to any company. Statistically, it will most likely happen at some point. Businesses are increasingly digitised, and more and more devices are recording, processing and storing data. Knowing the different attack windows and vectors is important, so that proper protections can be implemented. Equally important is that organisations know what to do when a data breach occurs.
Blog Post
Data Subject Requests and the GDPR: Steps to Prepare
Citizens in the E.U. have the right to request information about the storage of their personal data (GDPR Article 15). Many make good use of it. Similarly, in the U.K., citizens can pursue a Data Subject Access Request (DSAR) under the U.K. Data Protection Act. These requests for information by data subjects, whether individuals, customers, suppliers or authorities, can cause companies great distress — unless they are prepared to respond to them fully, on time and in a manner that builds trust with customers, employees and partners.
White Paper
2023 Privacy and AI Governance Report
This report explores the state of AI governance in organizations and its overlap with privacy management. We focused on companies’ change processes when striving to use AI according to responsible AI principles such as privacy, accountability, robustness, security, explainability, fairness and human oversight. This study aims to report on different approaches to governing AI in general and to explore how these nascent governance efforts intersect with existing privacy governance approaches
White Paper
Translating the increasing alignment and divergence in global data protection regulation.
Blog Post
Legal Transformation Playbook: Reducing Risk Through Operational Change
With government oversight and enforcement ramping worldwide, multi-national organisations are under extreme pressure to manage regulatory and legal exposure. In FTI Consulting’s Resilience Barometer, only 16% of business leaders at large organisations across the G20 said they do not expect their organisations to experience an investigation. At the same time, the visibility and use of non-traditional, or emerging, data sources is continuing to skyrocket, driving tremendous growth in the volume and variety of data — and subsequent risk — within organisations.
Blog Post
Australia is Getting Serious About Penalties for Privacy Enforcement – Boardrooms, Take Notice
In the wake of a flurry of high profile data breaches in the local telecoms and healthcare sectors, the Australian Government announced on 22 October 2022 that it was moving quickly to increase financial penalties under the Privacy Act 1988 (Cth). Attorney General, the Hon. Mark Dreyfus MP, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) on 26 October 2022
Blog Post
The U.S. legislature made a landmark move in July when the American Data Privacy Protection Act (ADPPA) advanced to the House floor, marking a significant step toward establishing the U.S.’s first federal data privacy law. This is the furthest a comprehensive federal data privacy act has progressed in the legislative pipeline, and if passed, it will join and overlap with a labyrinth of sector-specific and regional privacy laws already in place in the U.S.
Blog Post
Wajdi Kharrat, a Managing Director within FTI Technology’s Information Governance, Privacy & Security practice in France is an expert in global data privacy challenges and the ever-changing landscape of regulatory requirements. One of the key trends he’s continuing to watch is the arena of cross-border data transfers, including which laws are changing the legality of transferring data between jurisdictions, legal bases for conducting transfers and best practices for protecting data in transit. Wajdi recently sat down with Pierre Faller, Data Protection Officer at Dior, to discuss these issues in depth.
Blog Post
A Guide to Data Breach Reporting Obligations
All too often, data breaches are a result of preventable, internal errors. These mistakes and the reputational damage that follow them are increasingly keeping business leaders up at night. What is often most concerning is that it’s not only the financial damage that can cause catastrophe. When the personal data of thousands of customers and partners are affected by a data breach, organisations can also face significant legal ramifications in the form of litigation and GDPR violations. This article will discuss the key considerations and steps that should be taken to reduce fallout and ensure reporting obligations are met in the event of a data breach.
Video
Creating Resilient Data Privacy Programmes in the Middle East
FTI Consulting's Ben Crew and Shahin Shamsabadi joined Thomson Reuters – Practical Law to discuss the creation of resilient data privacy programmes in the Middle East.
Blog Post
A Coast-to-Coast Tour of U.S. State Privacy Legislation
Five U.S. states have enacted stringent data privacy and protection laws, with many more bills, including a possible federal law, pending in legislature.
Video
Emerging Fairness and Transparency Considerations in Artificial Intelligence
In this webinar Jon Asprey, (Managing Director at FTI Consulting), Thomas Hammp, (Senior Technical Staff Member – AI Governance at IBM) and Oscar Hayward (Associate at Latham & Watkins), explore what organisations could and should be doing to prepare for increased AI adoption.
Case Study
Assess & Advise: Pre-Acquisition Cryptocurrency Assessment
FTI Technology’s cryptocurrency experts provide in-depth audit of digital assets, business model and infrastructure in support of due diligence activities.
Blog Post
Privacy and Innovation: Reflections on Recent Data Privacy Events
Members of FTI Technology’s EMEA data privacy team have recently participated in several recent industry events, including IAPP Data Protection Intensive: UK 2022 in London. This article reflects on key trends our teams are following.
Blog Post
Five Surprising Findings from Legal Insiders in Ireland
Last month, FTI Consulting’s cybersecurity team, data privacy and communications experts hosted a roundtable dinner of lawyers and senior leaders from across numerous industries in Ireland. The event served as a forum to discuss the most pressing challenges relating to data breaches and cyber attacks with the stakeholders who grapple with these risks every day.
Blog Post
Pandemic Lessons Learned in Remote Forensic Analysis
Prolonged pandemic restrictions significantly changed the landscape for investigations, as the once typical travel to client sites to perform on-site forensic data acquisition was either severely limited or not an option at all. Data collection methodologies suddenly shifted from traditional disk-to-disk copy to remote methods, requiring digital forensics experts to establish methodologies that would enable remote collections in a defensible manner, presentable to a court, regulator or senior stakeholders.
Blog Post
Establishing Compliance Under South Africa’s Data Protection Regulation
The Protection of Personal Information Act (POPIA) took effect in South Africa in July 2021, following a lengthy revision process and a one-year grace period for organisations to become compliant. POPIA brings South Africa’s data landscape into alignment with a growing number of jurisdictions that have adopted stringent data protection regulations resembling Europe’s General Data Protection Regulation (GDPR).
Blog Post
Discussing the Essential Ingredients for Privacy by Design
Applying the principles of privacy by design can yield sizable benefits to any organisation harnessing automation and analytics in the processing of personal data. With the increased use of AI systems and automated decisions, this is only becoming more relevant. These benefits apply to both customer (or market) facing products and initiatives and internal, employee and operational efficiency programmes.
Blog Post
Cards on the Table: Privacy and Information Governance Trends for Australia and Beyond
2021 was a particularly tumultuous year for privacy compliance and information governance, with a rapidly evolving global regulatory environment, governments and corporations continuing to grapple with the persistent challenges of the COVID-19 pandemic and the subsequent acceleration of new technologies.
Blog Post
2022 Forecast: FTI Technology Predictions from EMEA, Part 2
Every year, we gather a series of predictions from our consultants across regions and practice areas. It’s a way of reflecting on how our clients challenges and needs evolve from year to year, and capturing the key areas we expect to support our clients in during the year ahead. In Part 1 of this series, Jon Chan shared outlooks from across our EMEA e-discovery practice. This post provides a roundup of predictions for the region across antitrust, information governance and data privacy.
Blog Post
A Roundup of Trends to Watch on International Data Privacy Day
Data privacy has been widely recognised as one of the biggest risks organisations will face in 2022. In FTI Consulting’s most recent Resilience Barometer survey, G20 organisations listed data privacy issues among the top four causes of lost revenue from the last year and 72% said their organisation has experienced an increase in data privacy breaches, violations or a sensitive data leak as a result of remote work environments
Video
The New UAE Privacy Law and its Practical Implications
The UAE Government has recently introduced a new data privacy law. Watch this video as experts, Ben Crew, Head of Information Governance, Privacy, and Security MENA at FTI Consulting and Hamed Halawani, Head of Risk Specialists, Middle East, and North Africa at Thomson Reuters discuss these new laws in detail and what the implications are for businesses in the UAE.
Blog Post
Stealing From the Cookie Jar? Beware Evolving Data Privacy Rules.
For many businesses, cookies are the backbone of marketing. These text-only strings of information stored on visitors’ computers, smartphones and tablets allow businesses to track, identify and study online behaviour for the purposes of targeted advertising. This practice is allowable within the confines of the EU Cookie Law, existing privacy legislation that allows websites to store or retrieve information only with visitors’ consent. While cookie-enabled targeted advertising is a boon for marketing campaigns, recent developments in data privacy laws and discourse are beginning to beg the question: is cookie tracking a good thing? More specifically, is the use of cookies compliant in accordance with the GDPR, California Consumer Privacy Act (CCPA) and other emerging data privacy regulations?
Blog Post
How Data Protection Has Become a Business-Critical Priority in the Middle East
Organisations that store personal and sensitive data possess millions of data artifacts—each representing unique risk and value—within their enterprise systems. With cybersecurity incidents on the rise, the stakes around data protection have become higher than ever before, yet many organisations still do not realise the extent of disruption that can result when systems are breached.
Blog Post
Global Insights: Bridging the Privacy Generation Gap in Australia
Studies and surveys show that most young people care very much about privacy and how data about them is collected and used. In our experience of advising clients on how to build privacy into their products and services, we’ve seen firsthand that when businesses don’t invest in understanding their users (including younger demographics), trust (and revenue, by extension) can quickly dissolve.
Blog Post
EU Whistleblowing Protection Directive Looms as New Compliance Referee
It’s game time for corporate compliance professionals in Europe. In less than three months, the EU Whistleblowing Protection Directive will take effect and add a new set of requirements to the long list of compliance controls businesses in Europe must implement and maintain. With little time left to prepare and establish the frameworks needed to comply with the law, it’s important that businesses gain an understanding of what the directive entails and the new policies and processes that must be put in place before the impending deadline.
Case Study
Privacy experts from the Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment were engaged to conduct a biennial privacy and data protection assessment for a large, global technology company.
Video
Sudden Impact: How The Pandemic Changed Antitrust Investigations and Compliance
The pandemic and its ripple effects have impacted us all in many ways, including how we work. Suddenly, millions of workers worldwide made the shift to remote work -- adopting new schedules, communication systems, and business practices. Antitrust practitioners were no different. From North America to South America and Europe, competition authorities updated guidance on pandemic-driven cooperation, transitioned to virtual investigations and temporarily suspended certain merger review and office searches. Acceleration of remote-work-driven cloud communication and the need for remote document collection, only complicated matters further.
Blog Post
It’s Not Over Yet: Addressing Persistent Legal and Regulatory Risks in Remote Work Environments
Earlier this year, we teamed up with Colin R. Jennings, a partner at Squire Patton Boggs, and other speakers on a panel for the Northeast Ohio Chapter of the ACC. Our talk covered the breadth of risks and mitigation strategies that have emerged—and are continuing to create headaches for—legal teams during the COVID-19 pandemic.
Video
Avoiding Enterprise Data Governance Project Pitfalls
While data governance will look different for every organization, there are a number of challenges that arise in most initiatives. If CDOs and other data governance stakeholders can plan for these and address them at the outset, their projects will have a much greater chance for success. Most projects lag due to resource fatigue, decision overload, assessment dead ends and lack of technical resources. Misalignment of roles and responsibilities is another major project pitfall.
Blog Post
What Companies Need to Know About the ADGM Data Protection Regulation
In February this year, the Abu Dhabi Global Markets (ADGM) passed the Data Protection Regulation (DPR2021), which bears a striking resemblance to the EU GDPR, and the U.K. GDPR specifically. The former legislation, dating back to 2015, was based on the Organization for Economic Co-Operation and Development (OECD) guidance, which was significantly different from GDPR’s standards. What this means is that for companies operating in the ADGM, major regulatory changes are afoot.
White Paper
Data Security in Texas: The Lone Star in Privacy Compliance?
Are companies in Texas leading the way when it comes to their approach to data security? This new report based on a survey done by ALM Media and FTI Consulting explores the approaches Texas companies employed to challenges faced by virtual workplaces and evolving privacy regulations.
Video
CCPA Training Requirements; Understanding and Operationalizing them for Efficiency and Compliance
Many organizations have prepared for compliance with the CCPA, specifically building out consumer rights management processes and procedures. But there are other requirements that must be met in order to maintain CCPA compliance, like the obligation to train employees who are responsible for handling consumer inquiries about the consumer’s privacy rights, or those within the organization whose roles may impact the processing of California resident personal information, such as marketing or IT. Please join FTI Consulting and OneTrust for a webinar outlining the specific training requirements within the CCPA and to learn about resources that can help your organization more easily meet this requirement.
Video
Privacy by Deletion - 5 Steps to Reducing Data Risk
Organizational data is dramatically increasing in size – by some estimates as much as 40-60% growth per year – at the same time that data breaches grow in number.
Video
The Future of Investigations Part 4: X-Factors
COVID-19 and the global migration to remote work environments, pending vaccine breakthroughs and migration back to physical offices, a growing presence of blockchain and cryptocurrency, moves to digitization and artificial intelligence, a presidential election and global shifts in regulatory priorities – these are just some of the “X factors” that can be difficult to account for as companies assess their compliance and investigative priorities. This webcast will focus on resilient and agile measures that companies can take to efficiently adapt to for unforeseen challenges.
Blog Post
Streamlining Privacy Compliance Among Global Regulatory Changes
Organisations that operate globally are subject to the ever-changing and continually developing regulatory landscape, which is challenging to comply with without a robust privacy and information governance backbone. In this blog, Ines Rubio, looks at how using aids such as privacy management technology to stay on top of processing activities and legal requirements will facilitate compliance teams’ work and serve as the go-to resource for updates, queries, and research on regulatory changes.
Blog Post
How content is created and shared on digital platforms is coming under increasing scrutiny with Regulators and the public calling for online platforms to take on more responsibility. Regulation has been on the horizon with France coming close to passing law to regulate online hate speech (subsequently struck down in court due to freedom of speech concerns) and the Online Harms Bill was proposed by the UK in 2019.
Blog Post
The ePrivacy regulation has had an uncertain path, and at times it seemed as though there would be no regulation introduced at all. One of the main stumbling blocks is the impact on online behavioural advertising and cookies walls on websites. However, in mid-February, the Council of the European Union’s Presidency announced a breakthrough: member states finally reached an agreement on the draft text. The next stage will be negotiations between the Commission, the Council, and the European Parliament.
Blog Post
Data is easy to forget. Especially with the increase in legacy-to-digital transformation, it’s easy to overlook unused systems or historical backups. All too often, the focus is on transitioning to new, digital technologies without decommissioning the legacy systems they replace.
Blog Post
Privacy Compliance for Small and Mid-Sized Businesses; It’s Not One Size Fits All
Read any survey of the challenges small and mid-sized business leaders face, and you’ll see an array of worries over managing cash, retaining customers, competing and keeping up with technological change. Chances are that regulatory compliance and data privacy aren’t making those lists of issues keeping SMB owners up at night. In fact, the majority of SMBs (80% according to one survey) know very little about whether and how data protection laws affect their business. Nevertheless, many data protection regulations are indiscriminate when it comes to organization size, and with consumers paying increasing attention to data privacy, the issue has become very real in the SMB arena.
Video
The modern workplace is in the midst of a massive transformation. An estimated 44% of employees are currently working from home, and a recent survey reported that employers expect the number of full-time workers who remain at home permanently to triple from pre-pandemic figures. The implications of this shift has and will continue to impact policies and operations across business functions, but particularly the data privacy arena, where corporations must consider how a remote workforce impacts regulatory compliance.
White Paper
Effective Strategies to Manage Global Data Challenges
At the recent PrivSec Global event, Nina Bryant and Kajen Subramoney, Managing Directors within FTI Consulting’s Technology segment in EMEA, participated in a panel with other data privacy experts to discuss the current global landscape of data challenges.
Blog Post
Privacy in a Pandemic – the Conundrum of COVID-19 Check-in Solutions
In the early days of the COVID-19 pandemic, when we were all grappling with the avalanche of concepts like ‘social distancing’ and ‘personal protective equipment’, the idea of contact tracing had many scratching their heads. In the age of automation, a manual process involving a team of people making calls and conducting interviews to find those exposed to the virus can seem almost counter-intuitive. Perhaps this is part of why, in 2020, we saw a dedicated push to find digital solutions to the challenges of COVID-19. This has included digital contact tracing solutions such as the Australian Government’s COVIDsafe app. However, the adoption of visitor registers that record which individuals have visited specific locations, and their contact details, have been far more helpful to contact tracers.
Blog Post
Data Risks and Challenges in M&A Transactions
At the recent PrivSec Global event, Sonia Cheng, Senior Managing Director and EMEA Head of Information Governance & Privacy at FTI Consulting, led a panel with Ahmed Baladi, Privacy & Cybersecurity partner at Gibson, Dunn & Crutcher and Linda NiChualladh, Head of Privacy (Legal) at Citi. The session covered the underlying risks and considerations associated with data in M&A transactions and the skills needed to brave a complex M&A data landscape.
Case Study
The Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment was engaged to lead HIPAA Security Rule risk assessments for several U.S. entities owned by a German-based medical device company.
Blog Post
Now in its sixth year, the report takes a deep dive into the leadership structures, core functions, staff and budgets, and tasks and priorities of privacy programs around the globe. It provides key metrics on ongoing compliance with core pieces of privacy legislation and the effects of recent legal rulings and guidance from data protection authorities on processing operations.
Video
The Privacy Playbook: Protecting Deal Value Through Targeted Privacy Due Diligence
While cyberattacks and breaches grab headlines, privacy compliance issues can be equally damaging to a deal and often reveal themselves only after the close. The growing web of privacy regulations increase the specter of integration challenges in the near term and enforcement actions or litigation in the mid-to-long term.
White Paper
The IAPP-FTI Consulting Annual Privacy Governance Report 2020
The IAPP-FTI Consulting Privacy Governance Report is the primary annual study benchmarking the privacy profession. Now in its sixth year, the report takes a deep dive into the leadership structures, core functions, staff and budgets, and tasks and priorities of privacy programs around the globe. It provides key metrics on ongoing compliance with core pieces of privacy legislation and the effects of recent legal rulings and guidance from data protection authorities on processing operations.
Blog Post
Q&A: Amid COVID-19, Data Integrity May Be the Weakest Link in Pharma Compliance
Across the globe, the pharma industry is investing billions of dollars into fighting COVID-19. Some of the leading companies have halted other research projects to allocate upwards of $1 billion to R&D for coronavirus treatments and vaccines (according to Forbes). In addition to government and market pressure to respond to the pandemic, pharma companies are up against increasing regulatory scrutiny. A notable—but often overlooked—risk on the regulatory front is the issue of data integrity, which is mandated by numerous global authorities. We recently discussed the issue of data integrity with Managing Director Ankush Lamba based in our Mumbai office, to get a better picture of the risks and how this issue has been exacerbated by the pandemic.
Blog Post
The Intersection of Privacy and IT: Key Questions Answered
Today, some degree of data privacy and data protection obligations —regulatory, security standards, consumer trust issues, etc.—touch nearly every organization around the globe. Fulfilling those obligations while maintaining operational resilience and productivity generally requires the involvement of multiple stakeholders as well as a broad range of company leaders. While typically led by an organizations legal and compliance department, operationalizing data privacy technology, implementing the required safeguards and governance workflows requires both the support and leadership of IT.
Blog Post
Third-Party Risk Spreads Like a Virus Among Work From Home Employees
Even sophisticated companies that dedicate ample resources to information governance often end up with gaps when it comes to third-party risk management. Now, as employees and third parties adopt new, unvetted applications to do their jobs from home, these gaps have become even greater. Organizations are under tremendous pressure right now—but making time to holistically assess and manage third parties will pay long-term dividends in reducing risk, while employees work remotely, and when they eventually return to the workplace.
Video
Data Retention & Minimisation - Lessons Learned in 2020
Data retention and minimisation played a key role in numerous cases and enforcement actions throughout 2020. Worryingly, the range of infractions varied widely, teaching us that it is certainly an area that is very challenging for organisations to address.
White Paper
IT’s Role in Supporting Global Privacy Compliance
While privacy programs are typically driven by stakeholders in legal and compliance, the requirements, resources, policies, processes and technologies involved with data privacy compliance often cross over with Information Technology (IT). Existing and emerging data privacy and data protection regulations also introduce a new set of considerations for IT teams to address when sourcing, deploying, managing or sunsetting systems and working with third-party providers.
Blog Post
It’s Official. The California Privacy Rights Act of 2020 is Coming.
Along with countless significant decisions, November 3 brought the passage of a long-awaited update to California data privacy law. This week, the California Privacy Rights Act of 2020 (CPRA) passed with a majority vote as expected, adding to and modifying the requirements and enforcement of the California Consumer Privacy Act (CCPA).
Blog Post
How Life Sciences Organizations are Re-Examining their Compliance Operations and Technology
FTI Technology Senior Managing Director Rena Verma recently attended the 17th annual Pharmaceutical Compliance Congress. We asked Rena to share the insights she gathered from fellow risk and compliance experts, and her observations on the key issues facing the pharmaceutical industry.
Blog Post
SEC Cyber Report Focuses on Information Governance Best Practices
In January, the Securities and Exchange Commission (SEC) released its most substantial cybersecurity guidance to date. The report, “Cybersecurity and Resiliency Observations,” was the result of examination findings and research from the last five years, much of which was led by the commission’s Office of Compliance Inspections and Examinations (OCIE). This is the first comprehensive guidance we’ve seen from the SEC’s cyber unit since it was established several years ago. In many ways, it reads as an examination pamphlet—outlining the essential information security practices and programs a financial services institution will need to have in place to stand up against a government raid, inquiry or investigation.
Video
Data Mapping for Privacy Obligations and Beyond – How to Reduce Risk and Increase Value
Emerging regulations like CCPA and GDPR have prepared us for compliance readiness – but not without challenges. The anticipated volume of Data Subject Access Requests (DSAR) coupled with vast amounts of personal data collected and stored, will make responding to regulatory deadlines far from easy. Especially knowing where all the data resides, how the data is being used and its contractual, legal and regulatory obligations. The answer is “Data Mapping” – a crucial backbone for compliance and overall health of an organization.
Blog Post
When Employees Work from Home, Compliance Culture Requires Extra Care
The last two months have given businesses many new issues to consider and practices to re-examine. Alongside introducing unexpected risks, the sudden shift to working from home has disrupted corporate culture, and more specifically, culture as it relates to compliance and privacy practices.
Webcast
Protecting Sensitive Data: Remote Employees, Trade Secrets and Data Loss
There is no question that the last few months have disrupted the workplace in profound ways. While the implications and timeline of this disruption are only just beginning to be fully realized, it’s clear that the transition to remote work for the vast majority of corporate employees has made data potentially more vulnerable to compromise, leakage and theft. Additionally, the upheaval of the global economy means that workforce shifts or reductions are likely inevitable. How can a corporation protect sensitive data in these circumstances? How do organizations detect and respond to data leakage and/or theft when it happens? And once data is compromised and litigation started, how do businesses put a value on what was lost?
Video
In the current climate of uncertainty, business resiliency is top of mind for many organizations, but many are struggling to articulate what that might look like and how to achieve it. Moreover, data privacy and security concerns continue as regulators expect and enforce compliance. Fortunately, there are steps organizations can take right now to strengthen business resiliency. These strategies not only help with regulatory compliance, but also serve as a meaningful business integrity component that can help steady the rudder in tumultuous times.
White Paper
FTI Consulting surveyed over 500 corporate data privacy leaders to understand the solutions, strategies and budgets companies have planned to address data privacy challenges in the coming year. This survey report illustrates how organizations are balancing the costs and risks of managing data in an ever-changing data privacy landscape; the importance of implementing a strategic combination of people, process and technology to mitigate data privacy risk; and the status of future plans in light of today’s uncertainties.
Blog Post
Q&A: Geoff Budge Leads Technology Practice in South Africa, Offers Business Guidance for COVID-19
Managing Director Geoff Budge has been working with FTI clients in South Africa for more than three years. Now, he is building a team of experts and solutions for the newly-established Technology practice in South Africa. His team will focus on expanding in the region and delivering the Technology segment’s client-centric, flexible model across e-discovery, information governance, risk, data privacy, security and legal operations solutions. We talked to Geoff about this move, and his thoughts on the biggest issues corporations in South Africa are facing during the current pandemic.
Blog Post
Q&A: Renato Fazzone Discusses Expanding Footprint and Client Service in Germany
The recent appointment of Renato Fazzone as Senior Managing Director and Germany Head of Technology established our permanent presence in the German market for our Technology practice. Backed by more than 15 years working in e-discovery and litigation support, as well as advising clients on corporate fraud and antitrust matters, Renato is eager to expand our offerings and expertise to clients in the region. We recently sat down with him to discuss his vision, the top issues impacting German corporations today, and how the COVID-19 pandemic is impacting FTI’s offerings.
Webcast
In the current state of uncertainty, business resiliency is top of mind for many organizations; however, many are struggling to articulate what that might look like and what can be done in the near term to achieve it. Moreover, data privacy and security concerns continue to reside at the center of that process, with regulators continuing to expect – and enforce – compliance. Fortunately, there are steps organizations can take right now to strengthen business resiliency. These strategies not only help with regulatory compliance, but also serve as a meaningful business integrity component that can help steady the rudder in tumultuous times. Join this webcast to hear experts discuss these strategies and practical steps for implementing them.
White Paper
Limping to the GDPR Finish Line - Why Many Companies Still Aren’t Fully Compliant
To date, GDPR compliance at most organizations has been approached from the top down. Policies and procedures are essential. However, now that most organizations have those in place, it is time to begin revisiting GDPR programs from the bottom up — starting with the systems where data lives, to ensure cohesive alignment between the existing privacy policies, business requirements, and the IT systems and infrastructure.
Blog Post
COVID-19: The Call for Personal Data Hygiene
Coronavirus is everywhere, figuratively and literally. It has overtaken our news, social feeds, and nearly every message and exchange. We’re getting a glaring reminder of the importance of strong personal hygiene (wash your hands!). But what about information hygiene? Beyond the devastating impacts on health infrastructure, human life and the economy, this crisis is also exposing new risks to personal data.
Video
Data Privacy Implications of Cloud-Based Social Collaboration Apps
An array of cloud-based workplace collaboration tools and messaging applications have become standard inside organizations around the globe. Yet many companies are unable to control the growth, management and discovery of the data within these applications. Oftentimes third parties host the data,but lack standard export workflows or preservation policies and process, making it difficult to obtain, quantify or assess. And, perhaps most importantly for those concerned with privacy, these applications are often engineered to prioritize individual user privacy, at the risk of enabling any sort of organized governance.
White Paper
Corporate Data Privacy Today; A Look at the Current State of Readiness, Perception and Compliance
FTI Consulting recently conducted a survey of more than 500 data privacy leaders of large, U.S.-based companies. The results illustrate the state of data privacy in today’s corporations, giving insight into the programs, perceptions and strategies at play.
Video
Five Strategic and Practical Information Governance Considerations During a Merger or Divestment
M&A activity stayed strong in 2019 from large acquisitions and strategic divestitures to smaller bolt-on acquisitions. M&A activity in the large pharmaceuticals, aviation and media industries, all highly litigious sectors from an information governance perspective, dominated the news cycle most recently. During this webcast, our experts outline an M&A playbook on data privacy, contract intelligence, legal holds and data preservation, intellectual property (IP) information and resources to support the various information governance initiatives during a merger or divestment.
Blog Post
2020 + CCPA = $55 Billion Spend for Businesses
The California Consumer Privacy Act (CCPA) has arrived, and businesses are bracing for the financial impacts. Every company’s risk and compliance posture is different, and each company’s data footprint is unique, so the cost of compliance will range from company to company. Generally, estimates from the California Department of Justice project that compliance will cost up to $50,000 for small businesses and $2 million for companies with more than 500 employees. This totals a forecasted $55 billion in initial expenses to operationalize the new requirements.
Video
Friend, Foe or Frenemy: Understanding the Risk of Too Much Data
FTI Consulting’s European Information Governance Leader Sonia Cheng looks towards 2020 and talks about some key issues and topics in information governance and data privacy. These include the core ingredients to make an information governance programme successful, the emerging risk areas information governance that corporations are facing and how technology can help modernise data compliance initiatives.
Blog Post
2020 Forecast: Expect Landmark Changes in E-Discovery, Data Privacy and Investigations
Across our practice areas, we asked our experts to share their predictions for what will shape legal, compliance and information governance in the coming year. Below is a roundup—across new laws, emerging technology and key industries—of what they expect will make the biggest impact to businesses worldwide.
Video
Managing Global Data Subject Rights
GDPR. LGDP. CCPA...In this sea of uncertainty, how do you keep your privacy programme afloat?
White Paper
Committing To Data Privacy Compliance: The California Consumer Privacy Act And Steps To Prepare
California’s new data privacy law, The California Consumer Privacy Act of 2018 (CCPA), is ushering in a new era of consumer privacy protections in the U.S. The law takes effect January 1, 2020, and will provide broad privacy protections for California residents. To ensure regulatory readiness, organizations must prepare for the impact the law will bring to their business, understand obligations and take steps to modify processes accordingly
Video
The CCPA is Almost Upon Us - Understanding Fundamentals & Addressing Unique Requirements
Bob Cattanach, Joe Lynyak and Sean Kelly discuss the ins and outs of the CCPA.
Webcast
US-UK-EU Cross-Border Data Transfers After Brexit
Date:
Wednesday, November 6, 2019
Time:
1:00 p.m. EST
More Information:
Webcast
Managing Global Data Subject Rights - Challenges and Solutions for Global Organizations
An expert panel will discuss the global expansion of privacy law, the main challenges facing global organisations in relation to data subject rights and practical guidance on handling global data subject right requests.
White Paper
The General Counsel Report: Corporate Legal Departments in 2020
FTI Technology and Relativity partnered with Ari Kaplan Advisors to survey chief legal officers about the future of the legal industry and the skills and expertise needed for the next generation of lawyers. The results of these interviews clearly indicate an industry in transition across four key areas: the evolving role of in-house counsel, risk factors and how the modern legal department is addressing them, technology and innovation in law, and advice that general counsel have for their law firms and for future lawyers.
Webcast
Data Privacy Implications of Cloud-Based Social Collaboration Apps
An array of cloud-based workplace collaboration tools and messaging applications have become standard inside organizations around the globe. Yet many companies are unable to control the growth, management and discovery of the data within these applications. Oftentimes third parties host the data, but lack standard export workflows or preservation policies and process, making it difficult to obtain, quantify or assess. And, perhaps most importantly for those concerned with privacy, these applications are often engineered to prioritize individual user privacy, at the risk of enabling any sort of organized governance.
Blog Post
TMT Boards Threaten 2020 Growth if they Ignore Data Privacy Today
This year will see real progress in 5G network implementation, an expansion of the connected device marketplace, further adoption of applied AI and the advancement of ad-tech capabilities. These constituent parts will more noticeably converge and begin to firm up the long-term vision of global commerce, in which online platforms will have greater reach into the real world and the consumer’s data will fuel unprecedented insights and outcomes. In parallel with this push into the future, global Technology, Media and Telecom (TMT) corporations will continue to struggle with data privacy regulatory risk.
White Paper
Spear Phishing: Carefully Targeted, Extremely Damaging and Fast Increasing
As spear phishing becomes sophisticated and widespread it’s essential that organisations take a multi-layered approach to protecting themselves. This means buying in expertise in staff training, cyber security and monitoring from an external source that specialises in this growing risk.
Video
Integrating Data Privacy Into Your Organization’s Business Strategy
With the advent of regulations like GDPR and the California Consumer Privacy Act of 2018, corporate leaders are beginning to recognize that poor data privacy risk management can harm competitive advantage, weigh down return on investment and have long term erosive effects on shareholder value. But how involved should executives be in privacy risk management decision making? And how can the corporate boards, the C-suite and legal and compliance stakeholders align business goals with privacy risk management?
Blog Post
Ad Techs and Transparency Issues take Center Stage for GDPR Enforcement Activity
In many ways, 2018 was a year of waiting. Waiting first for the General Data Protection Regulation (GDPR) to go into effect on May 25th. Then waiting again to see how regulators sought to investigate privacy complaints and enforce the new law. Now within the first two months of 2019, we’ve seen the beginnings of the anticipated uptick in European enforcement activity. And it is not a surprise to see the ad-tech space drawing most of that regulator attention.
Webcast
Integrating Data Privacy Into Your Organization’s Business Strategy
With the advent of regulations like GDPR and the California Consumer Privacy Act of 2018, corporate leaders are beginning to recognize that poor data privacy risk management can harm competitive advantage, weigh down return on investment and have long term erosive effects on shareholder value. But how involved should executives be in privacy risk management decision making? And how can the corporate boards, the C-suite and legal and compliance stakeholders align business goals with privacy risk management?
Blog Post
In the last half of 2018, GDPR enforcement activity among data protection authorities across Europe saw a steady uptick and the trend will continue in 2019. Organizations in a broad range of industries received public reprimands, enforcement notices and fines. Violations ranged from data breaches, to lack of security practices and failure to obtain consumer consent to collect data.
White Paper
Advice from Counsel: State of the Union on Data Privacy & Security
The 12th Advice from Counsel study explores how issues of data security and privacy impact in-house legal teams at Fortune 1000 corporations and reveals the top concerns and emerging best practices across three key and intersecting topics: the General Data Protection Regulation (“GDPR”), IG and data security and remediation.