Privacy and Data Protection
Home > Expertise

Privacy and Data Protection

Representative Engagements

Data privacy has emerged as a vital concern for companies that are increasingly using their customers’ and employees’ personal information for business purposes. The proliferation of privacy and data protection laws around the world imposes complex compliance requirements on all organizations. At the same time, consumer expectations around acceptable data use evolve over time and can vary by country. It is no longer sufficient for data protection responsibility to rest solely with IT or lines of business. Managing data privacy is a strategic decision for executives and board directors.


Promontory’s privacy and data protection team draws upon a unique combination of regulatory, industry, and consulting expertise, resulting in practical, workable solutions that will allow your organization to meet regulatory requirements. We advise clients on the collection, use, transfer, and storage of data — across multiple jurisdictions and industry sectors.

Comprehensive Expertise

We understand the importance of ensuring that data protection projects and programs are appropriate, pragmatic, and flexible. Our professionals work closely with clients to ensure that time, resources, costs, and key business objectives are considered throughout any engagement. This client-specific approach assists firms through the full life cycle of building, managing, and sustaining privacy and data protection governance programs.

Core Services and Areas of Expertise

  • Strategy, Governance, and Program Implementation
  • Reports, Reviews, Assessments, and Advice
  • Incident Preparation and Management
  • Privacy as a Service
  • Managing International Obligations
  • Regulatory Relations

Global Team

Our professionals have more than 100 years of collective experience in specialized privacy and data protection work with a diverse roster of companies across a wide array of industries. We work closely with regulators, industry groups, and our clients to monitor and analyze new and imminent regulation, including the EU General Data Protection Regulation, the U.S. Consumer Privacy Bill of Rights, and emerging regulation in areas such as Asia and South America. This global perspective and expertise allows us to work with clients to maximize the value of data while protecting the rights of individuals and developing practical, proactive solutions that align with regulatory best practices.

Representative Engagements

Financial Services

  • Promontory was engaged by a leading international bank to undertake a review of regulatory restrictions on data transfers. More than 60 countries were in scope, and the work included consideration of banking secrecy, confidentiality, and AML restrictions on data sharing, both within the group and with third parties. The deliverables included a handbook for use by local staff covering the scope of typical processing activities for each business unit, providing guidance on compliance, and setting a risk rating for the jurisdiction.


  • A major cloud-services provider retained Promontory to review its global compliance with financial services supervisory expectations. The work included the review of regulatory requirements in high-risk jurisdictions and discussions with key supervisors about the regulatory rationale behind certain guidance; a design-level review of the company’s controls compared to regulatory requirements; evaluation of regulatory risk in 18 jurisdictions; and advisory services on regulatory relations and strategy.


  • Promontory assisted a U.K. retailer responding to a substantial data breach by helping it improve its enterprisewide approach to risk management and controls. Promontory conducted an initial assessment through interviews, document reviews, process walkthroughs, and examination of public-facing policies and communications, and delivered a report with recommended improvements in technology, processes, people and culture, and governance. Promontory subsequently developed a toolkit to help the client implement and maintain a best-in-class information risk management program.


  • A major U.S. media and entertainment company retained Promontory to develop a privacy assessment approach and perform audits of its data-handling processes. Promontory developed a tailored audit framework of control requirements based on the client’s policy commitments and EU and U.K. legislation, and assessed the company’s processes to identify gaps. Promontory’s team worked with the client to adopt a review process and final report template that addressed findings, risk scores, and recommendations in a manner consistent with the client’s internal practices.


  • A global life sciences company requested Promontory’s assistance in incorporating country-specific privacy and data-protection requirements into local operating procedures. The work involved a review of existing global privacy policies and procedures, and analysis of local laws and regulations in more than 25 jurisdictions. Key areas of focus included consent, notice, access, transfers, and breach management. Promontory drafted a comprehensive set of local operating standards and provided the firm’s international privacy office with analyses about the practical implications of local data-protection and privacy requirements, including key variations from group-level policy requirements.


  • A large pharmaceutical company retained Promontory to prepare for its U.S. safe harbor certification. The work included an extensive classification of the company’s personally identifiable information, which required a review of existing policies and the development of policy guidance; extensive data mapping for key processes across a range of jurisdictions and markets; developing a U.S. safe harbor information pack for the company’s local data-protection officers; and providing corporate audit support. Promontory also developed a checklist to support preparation and planning around annual privacy audits.


  • Promontory developed for a government client a data-mapping toolkit with templates, information gathering and reporting tools, user guidance, and training materials. Promontory also provided comprehensive training workshops and management briefing sessions explaining how to apply the methodology and how to use the toolkit to deploy and successfully maintain the data-mapping framework.