Case Study
FTI Consulting Provides GDPR Assessment and Action Plan for Global Energy Company
When Europe’s General Data Protection Regulation (GDPR) was enacted, many U.S. corporations were suddenly facing data protection requirements far more stringent than any preceding privacy rules.
This was the case for a Houston-based drilling company, which had a significant international footprint, including in Europe, but limited visibility into how its practices were impacted by the new regulation. With an active GDPR compliance program in development, the company engaged FTI Consulting’s Information Governance, Privacy & Security (IGP&S) practice to conduct a readiness assessment and provide a roadmap of additional steps needed to bring the company into full compliance.
Situation
A common fallacy in the energy industry is that companies within it do not have significant data privacy exposure. The client in this matter, while operating with a significant presence in Europe, believed that it had a minimal amount of data in the region that was subject to the GDPR regulation. Similarly, the company had not given adequate attention to its third-party risk profile, and had not implemented policies or practices to govern how outside partners and vendors handled its data.
As FTI’s team began digging into the client’s data footprint, they quickly discovered that the client’s initial assumptions were mistaken. Across numerous countries, in more than 75 unique systems, the company was storing a wide range of personal employee and customer data subject to GDPR going back many years. Seventy-five percent of the information was hosted outside the company with third-party providers. The legal and compliance teams were unaware that more than half of these systems and vendor engagements existed.
The client tasked FTI with providing visibility and transparency into the types of systems they had, scoping how they were impacted by GDPR and advising on additional measures the company needed to implement to ensure a strong compliance posture.
Our Role
In partnership with the client’s legal and compliance teams, FTI’s data privacy and information governance experts set out to understand the company’s U.S. and European systems and assess business activities against GDPR requirements. The team interviewed key international and domestic stakeholders and identified the full scope of systems that contained personal information. They also identified the types of data subjects for which the organization was storing information (including customers, investors, job applicants and employees), where that information was retained and how to access it in the event of a data subject access request (DSAR).
With these insights, the team was able to understand the full extent of the client’s privacy footprint and liabilities and develop a data map to guide remediation efforts. FTI also reviewed the client’s existing notice, consent, data sharing and engagement practices and evaluated the breach and incident response capabilities at the client’s datacenters.
FTI then developed a detailed action plan for the client to move forward with updating the compliance program. More than 10 action items, based on GDPR standards and best practices, were outlined, providing a three-year remediation roadmap. Some of the highlights of the plan included:
- Establishment of a data privacy steering committee
- Development of privacy policy and notice documents
- Refresh of data retention and security processes
- Remediation of data
- Launch of formal training programs
Our Impact
Despite the client’s initial belief that the company was minimally exposed under GDPR, the company was issued a DSAR on the day its engagement with FTI concluded. The data map, action plan and recommendations provided by FTI were critical in arming the client with the information and insights needed to respond to the request.
The data mapping activities provided transparency around where personal information was being stored and transferred to enable the identification of risks potentially related to future privacy regulations. FTI’s gap assessment provided the client with critical visibility into its data footprint, third-party risk and GDPR exposure.
Detailed three-year roadmap offered actionable steps for the client to reduce risk and ensure compliance for its European operations.
Despite the client’s initial belief that the company was minimally exposed under GDPR, the company was issued a DSAR on the day its engagement with FTI concluded. The data map, action plan and recommendations provided by FTI were critical in arming the client with the information and insights needed to respond to the request.
The data mapping activities provided transparency around where personal information was being stored and transferred to enable the identification of risks potentially related to future privacy regulations. FTI’s gap assessment provided the client with critical visibility into its data footprint, third-party risk and GDPR exposure.
Detailed three-year roadmap offered actionable steps for the client to reduce risk and ensure compliance for its European operations.