Privacy and Data Protection
Home > Expertise

Privacy and Data Protection

Representative Engagements

Promontory’s privacy and data protection team draws upon a unique combination of regulatory, industry, and consulting expertise, resulting in practical, workable solutions. We advise clients on the collection, use, transfer, and storage of data — across multiple jurisdictions and industries.


The proliferation of privacy and data protection laws around the world imposes complex compliance requirements on all organizations. At the same time, consumer expectations around acceptable data use evolve over time and vary by country. It is no longer sufficient for data protection responsibility to rest solely with IT departments or lines of business. Managing data privacy is a strategic challenge involving executives and board directors.

Comprehensive Expertise

We understand the importance of ensuring that data protection projects and programs are appropriate, pragmatic, and flexible. Our professionals work closely with clients to ensure that time, resources, costs, and key business objectives are considered throughout any engagement. This client-specific approach assists firms through the full life cycle of building, managing, and sustaining privacy and data protection governance programs.

Core Services and Areas of Expertise

  • Strategy, Governance, and Program Implementation
  • European Union General Data Protection Regulation (GDPR)
  • Reports, Reviews, Assessments, and Advice
  • Incident Preparation and Management
  • Privacy as a Service
  • Managing International Obligations
  • Regulatory Relations

Global Team

Our professionals have more than 100 years of collective experience in specialized privacy and data protection work with a diverse roster of companies across a wide array of industries. We work closely with regulators, industry groups, and our clients to monitor and analyze new and imminent regulation, including the GDPR, the U.S. Consumer Privacy Bill of Rights, and emerging regulation in areas such as Asia, Australasia, and South America. Our global perspective and expertise allow us to work with clients to maximize the value of data, while protecting the rights of individuals and developing practical, proactive solutions that align with regulatory best practices.

Representative Engagements

Financial Services

  • Promontory was engaged by a leading international bank to undertake a review of regulatory restrictions on data transfers. More than 60 countries were in scope, and the work included consideration of bank secrecy, confidentiality, and anti-money-laundering restrictions on data sharing, both within the group and with third parties. The deliverables included a handbook for use by local staff covering the scope of typical processing activities for each business unit, providing guidance on compliance, and setting a risk rating for the jurisdiction.


  • A global insurer hired Promontory to develop and implement a GDPR compliance program to support its digital-transformation objectives - including an application to adopt binding corporate rules (BCR), which involved a gap analysis, readiness assessment, and remediation. Over the course of the three-year program, Promontory provided both program management and expert resources and delivered the client a detailed road map, communications plan, and ongoing remediation support. The project encompassed regulatory, policy, and operational support for all aspects of the program, as well as interaction with the group and subsidiary levels.


  • A major cloud-services provider retained Promontory to review its global compliance with financial services supervisory expectations. The work included the review of regulatory requirements in high-risk jurisdictions and discussions with key supervisors about the regulatory rationale behind certain guidance; a design-level review of the company's controls compared to regulatory requirements; evaluation of regulatory risk in 18 jurisdictions; and advisory services on regulatory relations and strategy.


  • Promontory assisted a U.K. retailer responding to a substantial data breach by helping the client improve its enterprisewide approach to risk management and controls. Promontory conducted an initial assessment through interviews, document reviews, process walk-throughs, and examination of public-facing policies and communications, and delivered a report recommending improvements in technology, processes, people and culture, and governance. Promontory subsequently developed a toolkit to help the client implement and maintain a best-in-class information risk management program.


  • Promontory helped a major global outsourcing provider with developing a program to adopt BCR and achieve compliance with the GDPR. The work included developing a control framework and action plan for the implementation of the program, supporting the delivery of key messages to senior stakeholder groups and the wider organization, and liaising with the lead data protection authority to develop a positive relationship.


  • For a global media and technology business, Promontory implemented a two-year GDPR program (including gap analysis, readiness assessment, and implementation planning and support) across the main group companies in Europe, the U.S., and East Asia, as well as any other affected entities worldwide. The project involved the design and rollout of the program and the review and adaptation of product-development processes and guidelines to meet GDPR requirements.

Health Care

  • A global life-sciences company requested Promontory's assistance in incorporating country-specific privacy and data protection requirements into local operating procedures. The work involved a review of existing global privacy policies and procedures and analysis of local laws and regulations in more than 25 jurisdictions. Areas of focus included consent, notice, access, transfers, and breach management. Promontory drafted a comprehensive set of local operating standards and provided the firm's international privacy office with analyses about the practical implications of local data protection and privacy requirements, including key variations from group-level policy requirements.


  • For a government client, Promontory developed a data-mapping toolkit with templates, information gathering and reporting tools, user guidance, and training materials. Promontory also provided comprehensive training workshops and management briefing sessions explaining how to apply the methodology and use the toolkit to deploy and successfully maintain the data-mapping framework.

Health Insurance

  • For a U.K. health insurer, Promontory performed an assessment of compliance with future obligations under the GDPR. The engagement included a series of privacy-impact assessments (or PIAs) focusing on major groupwide technology and business transformation projects, alongside stakeholder interviews and document reviews.

Enter Below Code :