Data Privacy Consulting Services & Solutions

Designed to enhance regulator-readiness and reduce risk while preserving the value of enterprise data.

Reliance on personal data grows and companies continue to innovate against a backdrop of enhanced privacy regulation, changing consumer privacy expectations, and shareholder demands for profitability. As a result, today’s organizations face a profoundly complicated regulatory, reputational, and operational data privacy risk environment. FTI Consulting’s Information Governance, Privacy and Security team delivers practical business solutions that not only help organizations reduce the risk associated with privacy compliance obligations, but also recognize value in their personal data.

Data privacy - growing your data the right way — Growing your data the right way is also the key to growing your business.

Corporate data privacy priorities

Validating Personal Data Handling and Security Practices of Third Party Partners

Increasing the Value and Utility of Personal Data

Optimizing Privacy Program Functionality and Enabling Automated Controls

Enhancing Program Integration and Privacy Risk Awareness

Protecting your data

Comprehensive and Integrated Services

Our data privacy team has expertise with privacy policy, processes and technology and can design, build, run, monitor, and enhance our clients’ data privacy risk management capabilities, delivering custom solutions no matter the company’s data environment or risk profile. From small engagements around specific regulations to ongoing managed services, we help each organization better define, implement and operationalize data privacy programs. Our services include:

Privacy Program Development

Program strategy, design, development, and implementation.

Privacy Tech Enablement

Vendor selection, requirements gathering, design, and implementation.

M&A and Deal Support

New venture, M&A privacy due diligence and post-acquisition integration support.

Regulatory Assessments

Compliance gap assessments across global privacy and security regulations.

Privacy Risk Management

Risk assessments & quantitative analysis, risk treatment roadmaps & recommendations, control monitoring and reviewing.

Industry-Specific Solutioning

Technology, Telecom, Media, Financial Services, Healthcare and Life Sciences.

Privacy Managed Services

Day-to-day privacy program management and On-Call response services, Data Protection Officer (DPO) as a Service.

Regulatory Process Implementation

Regulatory affairs support, complaints & inquiries handling, data subject rights request response, consent tracking, etc.

How We Think About Privacy

Privacy is not only a regulatory compliance issue, but also a strategic business issue.

FTI believes that while policies, standards, and discrete guidance documents are extremely important, privacy risk and compliance must be action-oriented and fully integrated throughout an organization’s business functions and processes.

With this in mind, we have developed a program framework intended to provide regulatory, reputational and operational risk coverage to clients of all sizes and complexity. The framework serves as a starting point to discuss risk tolerance, program scope, specific program work activities, and high-risk areas requiring extra attention and stakeholder involvement.

FTI Consulting data privacy framework graphic

Our Approach

We believe that policies, standards, and guidance documents are important, but true data privacy risk management is action-based.

Undefined risk and control ownership, open-ended corporate risk tolerance, and lack of mission are common root causes for lagging data privacy risk management maturity. FTI’s Data Privacy solutions drive clarity, structure, and a position of "regulator-readiness" through an approach that is:

Programmatic: We help our clients define a practical privacy program governance structure, the target operating model, and performance indicators to correct misaligned privacy risk ownership and promote efficient scale.

Risk-Based: We work to design and implement regulatory and operational risk controls with full awareness of how to best balance our clients’ strategic business priorities.

Integrated: We work to understand the nuances of our clients’ business model, processes, systems, or products and integrate specific privacy controls.

FTI's Data Privacy practice aims to deliver meaningful, "regulator-ready" results that actually improve personal data handling practices throughout the enterprise. Our solutions focus on active remediation of risk through business process re-engineering, enterprise system modifications, functional reorganization, or even new technology implementation.

Why FTI for privacy?

Prioritization of Data Value

We work to understand client products and services and develop a strategy that reduces risk around personal data and improves that data’s value by making it more transparent, which enables clients to make more effective business decisions.

Extensive Privacy Regulatory Experience

Our global team is adept at designing and building regulatory requirements across markets (North America, EMEA, APAC). We have field experience building solutions around diverse privacy regulations including GDPR, ePrivacy, EU member state regulations, California Consumer Privacy Act of 2018 (CCPA), HIPAA, HiTECH, GLBA, 23 NYCRR 500, PIPEDA and more.

Strong Technical Expertise

We have wide-ranging experience with diverse data environments, including off-the-shelf and in-house enterprise platforms and applications.

Effective Program Execution

Our team translates high-level requirements into executable project plans and uses an array of workflows to fit the specific parameters of the project - from proven, out-of-the-box methods to custom processes designed specifically for the Corporation’s business model.

Truly Cross Functional Service

We leverage a wide range of global subject matter expertise across FTI Consulting to enhance our Data Privacy service for several specific verticals (technology, financial services, life science, healthcare and others), regions and use cases.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

California’s data privacy law, The California Consumer Privacy Act of 2018 (CCPA), is ushering in a new era of consumer privacy protections in the U.S. While CCPA has been widely viewed as bringing GDPR-level data privacy regulation to the U.S., the real teeth are coming with the California Privacy Rights Act of 2020 (CPRA). With a broader scope than the existing law, it creates additional rights and obligations and expands the liability businesses could face if they experience privacy or information security violations.

To ensure regulatory compliance, there are a handful of steps organizations can take to help reduce operational and reputational risk associated with the regulation, including data mapping, updating privacy notices, identifying and documenting personal data "sales" and having a process for responding to data rights requests.

FTI Consulting provides a wide range of services that assist with these steps. From short, project-based engagements to ongoing managed services, FTI Consulting’s CCPA services are tailored to each organization’s requirements and include:

CCPA "regulation compliance" assessments
CPRA readiness assessments
Program and process implementation
Privacy risk strategy development and executive advisory support
Consent and opt-out preference management strategies
Holistic privacy program maturity benchmarking
Privacy enabling technology development
California consumer data identification and mapping
Training and awareness
Long-term privacy support and managed service
Incentive program implementation
Deterministic and probabilistic ID mapping formation
Digital marketing risk assessments

Data Privacy Managed Services

FTI Consulting offers data privacy managed services to provide day-to-day operational and subject matter support for organizations with a range of needs; including anything from designing and running a full data privacy program, to acting as the organization’s back office privacy staff, to providing strategic cover for certain tasks or at specific times.

Managed Services Offered

The FTI team offers expertise in executing the following responsibilities as part of day-to-day privacy program management or as specific on-call response services:

Data subject requests response and tracking;
Data protection impact assessment reviews and escalation;
Metrics compilation and reporting;
Breach logging, investigation, and notification support;
Records inventorying;
Training and internal communications development;
Requirements tracking and documentation support;
Privacy crisis event handling;
Strategic communications for privacy crisis events.

Learn more »

DPO Services

The General Data Protection Regulation (GDPR) requires many organizations to appoint a Data Protection Officer (DPO) with expert knowledge of data protection law and practices to oversee data privacy risk and compliance. While the requirement is relatively straightforward, its elements can make the DPO role difficult for companies to fill successfully.

Office of the DPO Services

With FTI’s Office of the DPO offering, the FTI team effectively acts as the back-office privacy program for organizations that have an internal DPO but need additional cover for certain tasks or at specific times. At the direction of the internal DPO, the team provides day-to-day back office operational and subject matter support and risk management coordination and oversight activities, while adding an overlay of in-depth risk and compliance oversight to the organization as a whole.