data privacy and security

About us

Data privacy and security

Leading information protection practices

Deloitte is committed to becoming the profession's leader in setting the standard for protecting confidentiality, and continues to make major investments to protect client data and personally identifiable information.

Few organizations are as active as Deloitte in helping business and government institutions predict, prepare for, and fight online attacks and build cyber resilience. Our vigilance begins at home, where it's critical that we protect our own data and the information we hold on our people and member firm clients.

Like many organizations, Deloitte is aggressively assessing, testing, and adopting the best new technologies and services to understand how we can meet privacy and security standards.

The Deloitte network has moved rapidly to keep its privacy and security policies and practices up-to-date with global mandates and stakeholder expectations. DTTL's global policy on information security requires member firms to institute a wide range of security measures, covering areas such as virus protection, data backup and recovery, encryption, password authentication, access to systems, and network security.

Deloitte member firm compliance with security policies is tracked through an annual IT Standards, Risk, and Maturity Assessment. Compliance with security policies at the global hosting center level is monitored through the DTTL Global Technology Services (GTS) Security Forum.

Self-assessment and education

DTTL has a privacy self-assessment system to monitor privacy program maturity across the network using 20 different criteria. This is helping DTTL and its member firms understand which tools, if any, could further strengthen information protection and privacy within Deloitte. DTTL's information security specialists provide guidance to member firms to strengthen their information security regimes when necessary.

A global application testing framework was adopted in FY2014, allowing greater capability in providing assurance that Deloitte's in-house applications are protecting client data.

Deloitte continually provides security education programs for member firm practitioners and security professionals. All GTS staff globally are required to fulfill 40 hours of annual learning, and several have obtained globally recognized security certifications. In addition, in FY2014, three regional workshops were conducted for in-house Deloitte security professionals, an e-learning program on social engineering rolled out, and Deloitte member firms participated in a global security week campaign to enhance practitioner information security awareness.

Emphasis on confidentiality

Deloitte continues to make major investments to protect client data and personally identifiable information. DTTL added a new Global Office of Confidentiality in 2014 to enhance the Deloitte network’s approach to confidentiality and make its response to risk a strategic enabler.

Deloitte is committed to becoming the profession's leader in setting the standard for protecting confidential information. DTTL has created the position of chief confidentiality officer (CCO), reporting to both DTTL’s chief risk officer and chief information officer. The CCO will lead the business imperative of working with member firms to establish seamless confidentiality controls and processes across the Deloitte network. DTTL is one of the few organizations in the world that has a CCO. The group also is asking member firms to appoint individuals to fill local roles similar to that of the DTTL CCO.

Safe Harbor Certification

In November 2013, Deloitte Touche Tohmatsu Services, Inc. (DTTS) recertified its adherence to the Safe Harbor Framework, which bridges differences between U.S. and European Union privacy laws. Re-certification follows an extensive annual privacy-verification process. The Safe Harbor Framework was developed by the U.S. Department of Commerce in consultation with the European Commission, and provides a way for U.S. organizations to achieve an adequate level of protection of personal data as required by the European Union Data Protection Directive 95/46/EC.

The Safe Harbor Certification assists in meeting EU data protection requirements with respect to data held on global systems in the United States.

Because many member firm clients are multinational organizations that expect seamless, safe, and private data transfer as part of service delivery, Deloitte is continuously reviewing its compliance processes to facilitate the movement of internal and member firm client data in line with local legal requirements.  

In this report, the terms Deloitte, our, we and us are used to refer to the Deloitte Touche Tohmatsu Limited (DTTL) network of member firms or to one or more DTTL member firms. See additional information.

[Caption]: Photo credit top banner, Ping Kin Shea, Deloitte China

Data privacy and security

DTTL's comprehensive global privacy policy took effect in August 2011. This policy requires every member firm to put in place:


  • A privacy policy that defines principles to be followed in all data handling processes and systems and that meets the requirements of local laws, customs, and regulations;
  • A designated privacy leader;
  • A process for responding to privacy incidents; and
  • Regular privacy communications and training programs for member firm people.

Did you find this useful?