One of the most noticeable trends in technology and compliance today is the explosion of vendors that offer new solutions promising to simplify the increasing complex web of privacy regulations and the resulting compliance activities. The International Association of Privacy Professionals’ (IAPP) 2019 Privacy Tech Vendor Report estimated that there are roughly 275 vendors offering privacy technology solutions in the marketplace today. As the privacy technology space becomes more crowded, it can be difficult to make sense of the interchangeable messages and determine the solution that best fits your needs. Before committing the considerable resources needed to implement one of these tools, there are a few key planning activities that we believe are critical in protecting your investment in privacy technologies. The following guidelines should serve as key inputs to the business case that you build to support your decision and funding.
Understand Your Long-Term Road Map and Vision
It is often difficult to realize given the focus on finding solutions to immediate problems with immediate funding; however, failure to consider the likely implications of future data protection requirements may result in a tool that could quickly become obsolete or unused.
While it is impossible to know what any future state, federal, or international privacy laws will impose, existing privacy regulations can be used as a guide to understand the principles that are commonly in the crosshairs of privacy legislation. Enhancing individual rights and consumer choice, transparency in notice and consent practices, managing third-party risks, and understanding your personal data processing activities (i.e., data mapping and discovery) are commonalities that seem reasonable to consider as foundations of any holistic privacy compliance program.
If your privacy program domains are broad enough, it is more likely that any future requirements will fit within those domains and be addressable by a comprehensive (and flexible!) technology platform. A robust privacy technology solution should have a solution that addresses and supports each domain of your organization’s privacy program. It is worth mentioning again that the nuances of future requirements may still render a certain technology obsolete, but by evaluating tools that offer the most coverage, you are planning for unknowns as realistically as possible. It pays to have a tool that you can grow into when you need it, even if you don’t intend on using all functionality or modules today.
Inventory Your Existing Tools
Scanning the market for a new tool may feel like the best way to keep up with rapid change, but your existing tools can be a blind spot for the privacy office if they have not been properly educated. There are two primary sources of internal tools that should be evaluated: (1) Enterprise Governance, Risk, and Compliance (GRC) tools; and (2) internally developed solutions.
As software vendors expand their offerings to capture privacy under the umbrella of GRC, we can expect that these specialized tools will continue to evolve to meet the needs of privacy stakeholders. IT Compliance and Security teams may already be using GRC tools to manage your organization’s security program – including adoption of internal control frameworks, results of audits and continuous monitoring, and third-party risk management. Some of these technologies may offer the functionality needed to manage the various components of your privacy compliance program, especially if these tools can be configured or customized to accommodate your unique requirements and workflows. GRC platforms typically involve substantial implementation costs, so being able to leverage an established tool that is known to your stakeholders may be an opportunity to economize resources while moving into a robust tool that wouldn’t otherwise be an option.
Depending on your internal capabilities, a homegrown tool may not be a bad option either, especially if you are constrained to meeting only your immediate needs. For example, managing individual rights requests via a workflow can be achieved in a SharePoint solution that can track the intake, processing, and resolution of each request. If your existing technology stack or cost constraints prevent you from implementing a significant amount of automation for handling the requests, this simple workflow that engages the necessary stakeholders to action the request may be a viable option, if designed and used effectively. Such a solution may also assist with managing third-party contracts and risk management activities. However, other requirements like consent management may require more technical solutions that don’t lend themselves to simple alternatives, but this can often depend on the in-house talent available and whether you can clearly articulate your needs to them as early as possible.
Engage the Right Stakeholders
Prior to making any decisions, a diverse group of stakeholders should be engaged to evaluate the available options and select a tool that works best for the entire organization. We have found that tools selected by one team without engaging key partners run the risk of not meeting the needs of teams that will own the operations and maintenance of the tool down the road. Engaging IT and compliance partners, procurement, business unit owners, and senior leadership should begin as early as possible.
Involving these individuals will help avoid the pitfalls discussed above – i.e. not understanding long-term requirements, and not knowing or understanding of existing tools. This practice will also engage the individuals that will need to own data privacy in the future. Privacy is shifting from an effort owned by a small team of privacy professionals, to an initiative that must be managed by the teams that handle your organizations data and the support personnel around them. Proper communication will ensure that these people have a stake in the decision-making process and showcase the value that the privacy office can bring when their focus is on understanding your organization’s requirements and engaging the right stakeholder groups to operationalize the solutions.
Conclusion
The future of privacy regulation does not show any signs of slowing down. Organizations of all sizes will need to adopt tools that make managing the risks of regulatory noncompliance simpler and more cost effective. Investing in a privacy technology platform is one way to do this, but this should only be done after you have made a good faith effort understand your current state and future requirements as well as you can. This means understanding your long-term roadmap and vision, understanding your organization’s existing tools, and engaging the right stakeholders early. No planning process can account for all unknowns but following these steps can pay dividends later and the smooth incorporation of changes to your privacy risk landscape.
Interested in discussing privacy technology evaluation and enablement? Get in touch with us.