Privacy and Data Protection
Home > Expertise

Privacy and Data Protection

Representative Engagements

The expansion of privacy and data protection laws at local, national and international levels imposes complex compliance requirements on all organizations. Both the media and consumers are focusing on how companies use information about individuals, and regulators are actively enforcing against organizations that breach privacy and data protection rules. The evolving privacy and data protection landscape can often seem bewildering.


Promontory’s Privacy and Data Protection practice thrives on a unique combination of regulatory, industry, and consulting expertise, resulting in practical, workable solutions that will allow your organization to meet regulatory requirements. We have more than 85 years of experience in specialized privacy and data protection work. Our team helps clients manage the risks and regulations associated with handling data, including compliance with legal and regulatory obligations across multiple jurisdictions. We understand the challenge of maximizing the value of data while protecting the rights of individuals, and we can provide practical and proactive solutions that align industry standards with the best interests of your business.

We work closely with regulators, industry groups, and our clients to monitor and analyze new and imminent regulation, including the EU General Data Protection Regulation, the U.S. Consumer Privacy Bill of Rights, and emerging regulation in areas such as Asia and South America. 

Promontory’s experience combines an intimate understanding of businesses across many sectors with experience working on a broad range of privacy and data protection projects. Our areas of practice include: 

  • Data Protection and Governance Strategy 
  • Advisory and External Relations 
  • International Personal Data Transfers 
  • Service Providers and Vendor Management 
  • Information Security Governance
  • Personal Data Security Breaches 
  • Audit and Privacy Impact Assessments
  • Employment 
  • Marketing/Social Media 
  • Customized Training

Representative Engagements

Financial Services

  • Promontory was engaged by a leading international bank to undertake a review of regulatory restrictions on data transfers. More than 60 countries were in scope, and the work included consideration of banking secrecy, confidentiality, and AML restrictions on data sharing, both within the group and with third parties. The deliverables included a handbook for use by local staff covering the scope of typical processing activities for each business unit, providing guidance on compliance, and setting a risk rating for the jurisdiction.


  • A major cloud-services provider retained Promontory to review its global compliance with financial services supervisory expectations. The work included the review of regulatory requirements in high-risk jurisdictions and discussions with key supervisors about the regulatory rationale behind certain guidance; a design-level review of the company’s controls compared to regulatory requirements; evaluation of regulatory risk in 18 jurisdictions; and advisory services on regulatory relations and strategy.


  • Promontory assisted a U.K. retailer responding to a substantial data breach by helping it improve its enterprisewide approach to risk management and controls. Promontory conducted an initial assessment through interviews, document reviews, process walkthroughs, and examination of public-facing policies and communications, and delivered a report with recommended improvements in technology, processes, people and culture, and governance. Promontory subsequently developed a toolkit to help the client implement and maintain a best-in-class information risk management program.


  • A major U.S. media and entertainment company retained Promontory to develop a privacy assessment approach and perform audits of its data-handling processes. Promontory developed a tailored audit framework of control requirements based on the client’s policy commitments and EU and U.K. legislation, and assessed the company’s processes to identify gaps. Promontory’s team worked with the client to adopt a review process and final report template that addressed findings, risk scores, and recommendations in a manner consistent with the client’s internal practices.


  • A global life sciences company requested Promontory’s assistance in incorporating country-specific privacy and data-protection requirements into local operating procedures. The work involved a review of existing global privacy policies and procedures, and analysis of local laws and regulations in more than 25 jurisdictions. Key areas of focus included consent, notice, access, transfers, and breach management. Promontory drafted a comprehensive set of local operating standards and provided the firm’s international privacy office with analyses about the practical implications of local data-protection and privacy requirements, including key variations from group-level policy requirements.


  • A large pharmaceutical company retained Promontory to prepare for its U.S. safe harbor certification. The work included an extensive classification of the company’s personally identifiable information, which required a review of existing policies and the development of policy guidance; extensive data mapping for key processes across a range of jurisdictions and markets; developing a U.S. safe harbor information pack for the company’s local data-protection officers; and providing corporate audit support. Promontory also developed a checklist to support preparation and planning around annual privacy audits.


  • Promontory developed for a government client a data-mapping toolkit with templates, information gathering and reporting tools, user guidance, and training materials. Promontory also provided comprehensive training workshops and management briefing sessions explaining how to apply the methodology and how to use the toolkit to deploy and successfully maintain the data-mapping framework.