Information Governance, Privacy & Security

To ensure compliance with regulatory requirements, prevent costly issues and maintain business continuity, FTI Consulting provides a broad range of information governance services, including designing and implementing global information governance programmes, policies and procedures; conducting enterprise-wide data mapping and remediation programmes; properly identifying and protecting sensitive data, including personal data, client information and intellectual property; securing proprietary data when employees leave or divestitures or mergers occur; migrating data to cloud applications; and remediating information within legacy applications.

Our senior practitioners assess each client’s situation and deploy the right people, processes and technologies to deliver the desired results. This combination of inputs, tailored to the organisation and its specific goals, achieves data compliance and cost savings, with demonstrable value to the client organisation.

Click here for more information

As reliance on personal data grows, companies must continue to innovate in the face of increased privacy regulation, personal data breaches, evolving privacy expectations from customers, and profitability demands from shareholders. Organisations across the globe now face a profoundly complex environment with respect to data privacy risk – risk that can be regulatory, reputational and operational. Firms also need to conduct proper due diligence, including assessing what personal data is being acquired, the legal basis for its use, and how it is being protected; this is necessary to preserve deal value and avoid costly class action litigation or government investigations. Our team delivers practical solutions that reduce risks associated with privacy compliance obligations while identifying and increasing the value of personal data.

Our global senior team has decades of field experience and is adept at designing, implementing and monitoring solutions around diverse global privacy regulations. Our goal is to deliver meaningful, “regulator ready” results that improve personal data handling practices throughout the enterprise.

Click here for more information

An organisation’s data – whether stored on servers, in the cloud or on employee devices – presents both challenges and opportunities in today’s highly regulated business environment. As data volumes increase, challenges include safely and defensibly mining corporate data to find and act upon key information quickly, storing sensitive data such as client information and intellectual property, securing data against internal and external threats, and disposing of old or redundant data to reduce storage costs and risk. With the expert data remediation support and advisory capabilities of our firm, these can be accomplished with minimal business disruption.

Our senior experts deliver robust and pragmatic data management and remediation solutions. We apply decades of experience to help clients align to global regulatory requirements and drive business value from their data. Clients rely on us to design and implement cost-effective solutions tailored to their needs. Also, we advise on relevant evolving technologies, laws and regulations.

Click here for more information

Because today’s compliance laws and data protection regulations require organisations to minimise and defensibly dispose of data, it is more important than ever for those organisations to understand their legal, privacy and retention obligations in relation to data. When they need help determining what to keep and what to delete, all while remaining compliant, organisations in all sectors and their legal counsel rely on FTI Consulting to evaluate data that might be subject to a legal hold.

Our senior practitioners, who have decades of industry, legal and technical experience, help global organisations update their legal hold, preservation and e-discovery processes throughout the entire electronic discovery reference model (EDRM). We help modernise in-house e-discovery processes to ensure preservation obligations and downstream e-discovery processes remain efficient, cost-effective and defensible.

Click here for more information

Many organisations have moved to, or are in the process of transitioning to, Microsoft 365. Too often, migration from on-premise data sources, such as file shares or legacy Exchange and SharePoint, do not factor in the legal, retention or privacy considerations that relate to data stored in the new platform. In-depth experience in implementing Microsoft 365 across global enterprises enables our experts to ensure information is governed end-to-end, and to factor in security, privacy, retention, legal and business change requirements for data.

We provide consulting and other services around data governance and discovery for Microsoft 365 users, assisting firms with a broad range of needs around Microsoft 365 usage to ensure legal and regulatory activities remain cost-effective and defensible. For example, we can support the client in conducting an evaluation to choose the right licensing model to meet organisational needs and budget; support safe migration of data away from legacy sources to Microsoft 365; configure and implement data classification and data loss prevention leveraging the Azure Information Protection (AIP) and Microsoft Defender for Identity solution suite; and defensibly dispose of redundant, obsolete or trivial data to reduce cost and breach risk.

Click here for more information

The European Court of Justice has invalidated the use of the Privacy Shield framework as a mechanism for the transfer of data outside the EEA. While Standard Contractual Clauses (SCCs) have been updated, the underlying transfer must be assessed on a case-by-case basis to determine whether personal data will be adequately protected. Not carrying out these extra steps could result in hefty fines and reputational damage.

Our privacy experts can provide an independent assessment to help a client navigate these changes. Data transfers to third countries often occur when organisations are receiving remote technical support for business applications, have outsourced data processing operations, or are conducting merger investigations that may require the processing of data from multiple jurisdictions. We review how effectively personal data is protected, and identify and document supplemental safeguards to protect personal data throughout its lifecycle while in use and during transmission.

Under the General Data Protection Regulation (GDPR), organisations are required to respond within 30 days of receiving a Data Subject Access Request (DSAR). Businesses often struggle with responding to these requests because they must conduct detailed searches relating to the data subjects across a diverse data landscape. Responding to requests can be resource-intensive, costly and difficult to coordinate, especially within the timescales required under GDPR.

We leverage best-of-breed analytics technology to rapidly review and identify relevant personal data and redact where required. Our flexible and cost-effective approaches to DSAR range from a technology solution to a fully managed service that includes collection, hosting and managed review of the data.

Under GDPR, firms have 72 hours to report a data breach that involves personal data, with significant penalties should they fail to comply. Depending on the nature of the breach and its potential impact, the data subjects may also need to be notified.

We have helped manage some of the most high-profile privacy cases and data breaches for clients across industries and geographies. Our privacy experts help assess the nature and scope of the breach, determine whether the breach needs to be reported under GDPR, and assess whether the breach poses a high risk to the rights and freedoms of individuals affected. We use industry-leading analytics and machine learning capabilities to identify “personal” and “sensitive personal” data under GDPR and automate notifications to affected recipients.