Information Governance, Privacy & Security

To ensure compliance with regulatory requirements, prevent costly issues, and maintain business continuity, FTI Consulting provides a broad range of information governance services, including designing and implementing global information governance programmes, policies and procedures; conducting enterprise-wide data mapping and remediation programmes; properly identifying and protecting sensitive data, including personal data, client information and intellectual property; securing proprietary data when employees leave or divestitures or mergers occur; and migrating data to cloud applications and remediating information within legacy applications.

Our senior practitioners assess your situation and deploy the right people, processes and technologies to deliver desired results. This combination, tailored to your organisation and its specific goals, delivers data compliance and cost savings objectives with demonstrable value to your organisation.

Click here for more information

As reliance on personal data grows, companies must continue to innovate in the face of increased privacy regulation, personal data breaches, evolving privacy expectations from customers, and profitability demands from shareholders. Organisations across the globe now face a profoundly complex regulatory, reputational and operational data privacy risk environment. Firms also need to conduct proper due diligence, including assessing what personal data is being acquired, the legal basis for its use and how it is being protected to preserve deal value and avoid costly class action litigation or government investigations. Our team delivers practical solutions that not only reduce risks associated with privacy compliance obligations, but also identify and increase the value in personal data.

Our global senior team has decades of field experience and is adept at designing, implementing and monitoring solutions around diverse global privacy regulations. Our goal is to deliver meaningful, “regulator ready” results that improve personal data handling practices throughout your enterprise.

Click here for more information

An organisation’s data — whether stored on servers, in the cloud or on employee devices — presents both challenges and opportunities in today’s highly regulated business environment. As data volumes increase, challenges include safely and defensibly mining corporate data to find and act upon key information quickly, storing sensitive data such as client information and intellectual property, securing data against internal and external threats, and disposing of old or redundant data to reduce storage costs and risk. With the expert data remediation support and advisory capabilities of our firm, these can be accomplished with minimal business disruption.

Our senior experts deliver robust and pragmatic data management and remediation solutions. We apply decades of experience to help clients align to global regulatory requirements and drive business value from their data. Clients rely on us to design and implement cost-effective solutions tailored to their organisations and data. Also, we advise on relevant, evolving technologies, laws and regulations.

Click here for more information

Because today’s compliance laws and data protection regulations require organisations to minimise and defensibly dispose of data, now more than ever, those organisations must understand their legal, privacy and retention obligations for data. When they need help determining what to keep and what to delete, all while remaining compliant, organisations in all sectors and their legal counsel rely on FTI Consulting to evaluate data that might be subject to a legal hold.

Our senior practitioners, who have decades of industry, legal and technical experience, help global organisations update their legal hold, preservation and e-discovery processes throughout the entire electronic discovery reference model (“EDRM”). We help modernise in-house e-discovery processes to ensure preservation obligations and downstream e-discovery processes remain efficient, cost-effective and defensible.

Click here for more information

Many organisations have moved to or are in the process of transitioning to Microsoft 365. Migration from on-premise data sources such as file shares or legacy exchange and SharePoint do not factor legal, retention or privacy considerations for data in the platform. Our experts have extensive experience in implementing Microsoft 365 across global enterprises to ensure information is governed end-to-end and to factor in security, privacy, retention, legal and business change requirements for data.

We provide data governance and discovery consulting and services for Microsoft 365 users, assisting firms with a broad range of needs around Microsoft 365 usage to ensure legal and regulatory activities remain cost-effective and defensible. This includes support to conduct an evaluation to choose the right licensing model to meet organisational needs and budget; support to safely migrate data away from legacy sources to Microsoft 365; configure and implement data classification and data loss prevention leveraging the AIP and ATP solution suite; and defensibly dispose of redundant, obsolete or trivial data to reduce cost and breach risk.

Click here for more information

The European Court of Justice invalidated the use of the Privacy Shield framework as a valid mechanism to rely on for the transfer of data outside the EEA. While Standard Contractual Clauses (“SCCs”) remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether personal data will be adequately protected. The impact of not carrying out these extra steps could result in hefty fines and reputational damage.

Our privacy experts provide an independent assessment to help you navigate these changes. Data transfers to third countries often occur when organisations are receiving remote technical support to use business applications, have outsourced data processing operations or are conducting merger investigations that may require processing data from multiple jurisdictions. We review the effectiveness of protections of personal data, and identify and document supplemental safeguards to protect personal data through its lifecycle while in use and during transmission.

Under the General Data Protection Regulation (“GDPR”), organisations are required to respond within 30 days of receiving a Data Subject Access Request (“DSAR”). Businesses often struggle with responding to these requests because they must conduct detailed searches relating to the data subjects across a diverse data landscape. Responding to requests can be resource-intensive, costly and difficult to coordinate, especially within the required timescale under the GDPR.

We leverage best-of-breed analytics technology to rapidly review and identify relevant personal data and redact where required. Our flexible and cost-effective approaches to DSAR range from a technology solution to a fully managed service that includes collection, hosting and managed review of the data.

Under the GDPR, firms have 72 hours to report a data breach that involves personal data, with significant penalties should they fail to comply. Depending on the nature of the breach and potential impact, the data subjects may also need to be notified.

We have helped manage some of the most high-profile privacy cases and data breaches for clients across industries and geographies. Our privacy experts help assess the nature and scope of the breach, determine whether the breach needs to be reported under the GDPR, and assess whether the breach poses a high risk to the rights and freedoms of individuals affected. We use industry-leading analytics and machine learning capabilities to identify personal and sensitive personal data under the GDPR and automate notification to impacted recipients.