Sonia Cheng

Senior Managing Director, EMEA Head of Information Governance & Privacy

London||+44 20 3727 1783

Sonia Cheng is a Senior Managing Director in FTI Consulting’s Technology segment, based in London. Ms. Cheng leads the EMEA Information Governance Privacy & Security (IGPS) practice and is a world-renowned expert in Information Governance and GDPR, handling high-stakes regulatory and breach challenges.

Throughout her distinguished career of over 23 years, she has led hundreds of engagements with Global 500 firms with a focus on financial services, insurance, healthcare and life sciences. Ms. Cheng has extensive experience with identification of personal data in the context of data breach & incidents as well as proactive remediation for compliance programs.

Ms. Cheng’s diverse, hands-on experience enables her to solve clients’ most pressing challenges at the intersection of data and regulation. Her domain expertise and extensive stakeholder management, project management, technology and change management experience enables her to successfully navigate highly complex matters. She previously led the European Information Governance practice at IBM, holding senior leadership roles in global services, product management and business development for legal, retention, privacy and analytics solutions. During her tenure at IBM, Ms. Cheng was the co-inventor and holds a patent in IT Storage optimization.

Prior to IBM, Ms. Cheng led professional services at PSS Systems and technology consulting roles at Wells Fargo, Citigroup and Morgan Stanley. Ms. Cheng was also a co-founder of a silicon valley based technology non-profit organization which provided technology transformation services to NGOs. She is a frequent speaker and published thought leader and has been featured as a Who’s Who Legal Top Expert in Information Governance and Privacy in 2019 – 2022. Ms. Cheng has also been awarded Excellence in Client Service from Consulting Magazine’s Global Leaders Awards in 2022.

Select Client Experience

  • Led privacy breach analysis for critical infrastructure firm involving 1.6M consumers.
  • Led complex EU/US breach response for consumer firm involving system output of nearly 800 million lines of fragmented system output. Led team to rapidly identify the most sensitive sources of personal data, support breach notification in a phased approach to meet regulatory requirements.
  • Led high profile breach response for technology firm requiring in depth analysis, identification of data subjects, categories of personal and sensitive personal data in accordance with the GDPR and US notification laws. Developed methodology to apply machine learning & analytics to accelerate response.
  • Led crisis management office for large scale UK insurer breach involving 20+ jurisdictions and millions of data subjects.
  • Led privacy analysis for legal service provider which suffered a ransomware attack. Led the identification of data subjects and 3rd party IP to support disclosure requirements.
  • Led a GDPR transformation program for a global health firm to identify process, technology and security gaps. Liaised directly with the CEO, GC, and country executives, multiple internal and external counsels from multi-jurisdictions to align a global approach for privacy/security controls and operational readiness. 
  • Developed a GDPR readiness roadmap for a global insurance firm which aligned resources and capabilities from their Information Governance program.
  • Led the segment’s largest complex EU merger investigation involving identification and remediation of commercially sensitive data. Liaised with 100+ stakeholders, 20+ parties, Developed and implemented defensible methodologies to address legal requirements.

  Back to experts