National supermarket retailer engages FTI Technology’s Information Governance, Privacy & Security (IGP&S) practice for comprehensive privacy program transformation, technology implementation and enhanced automation.
The client’s digital business had grown exponentially in recent years. Alongside this growth, the retailer’s use of personal information had become more complex, riskier and more voluminous. The client needed a holistic privacy program to effectively monitor and manage risk — in support of compliance with data protection laws and consumer trust. The client also required additional automation to defensibly handle data access, deletion and opt out requests.
Experts within FTI Technology’s Information Governance, Privacy & Security practices were engaged to implement a holistic data privacy program – establishing appropriate program roles, standard risk management process, foundational program technology (OneTrust) and enhanced automation and data identification capabilities (BigID and custom solutioning from FTI Technology). The team also provided specialized privacy and technical advisory to the client’s internal Retail Media Network as FTI Technology and the client jointly sought to implement critical ”Opt Out of Sale” solutions.
Comprehensive Privacy Program
The program consisted of governance (roles and responsibilities), job profiles, procedural workflows and an operating model to work across the various functions that collect, use, store, dispose of or share personal information.
Automated Data Identification
FTI Consulting’s IGP&S in concert with FTI’s Data & Analytics Practice performed a substantive proof of concept and tool assessment, selecting BigID to meet specific requirements for automation of scanning and data identification. The goal was to develop a tool to automate data identification (such as Social Security numbers and other sensitive personal information), scan to validate OneTrust findings and highlight any gaps that the survey may have missed.
Tech-Enabled Workflows & Standardized Risk Framework
FTI Technology implemented OneTrust to support key risk management processes. This included the development of custom privacy and impact assessment surveys and a series of integrated workflows (across the client’s marketing, IT, product development, procurement and other functions) that would allow the privacy team to be made aware of organizational change. The workflows established methods for the privacy team to also review changes across the organization and adjudicate risk in accordance with an industry standard risk measurement framework.
Automated Data Access/Deletion/ Opt Out Fulfillment
Geared specifically to the organization’s access, deletion and opt-out requirements, the IGP&S team developed an automated workflow to identify in-scope data and remove/anonymize personally identifiable information and personal health information in accordance with applicable state laws and pursuant to individual consumer requests.