Best practices for choosing the right data privacy software

The number of privacy technology companies leaped from 51 vendors just two years ago to 224 in 2019, according to a report issued by the International Association of Privacy Professionals. Apparently, these vendors are very much responding to a market need. Almost 33 percent of respondents to Compliance Week’s second annual technology survey, sponsored by Refinitiv, reported they are considering upgrading or implementing technology solutions around data privacy.

Finding all of an individual’s personal data can be a daunting challenge for companies, a fact that is perhaps surprising in an age when even a poorly crafted search term on Google can pull up all sorts of pertinent information instantaneously. The fact is, though, that large enterprises don’t necessarily have robust search power in their internal systems.

Privacy software “can help to answer one of the most challenging questions: Where is the data?” says Safi Raza, director of cyber-security at Fusion Risk Management. In addition to locating data that falls under various privacy regulations, software can alert data administrators if unauthorized access or transfer is detected, Raza explains. Technology can also help with privacy assessment and data pseudonymization. There is one caveat, though: “There isn’t one solution” that offers all of these characteristics, Raza says. That’s a caution that a number of experts in the field mention. “Privacy technology is designed to make your privacy program more efficient, not replace it entirely,” notes Nicholas Merker, co-chair of the data security and privacy practice at the law firm Ice Miller.

“One of the most important aspects of any data protection program is having an in-depth and documented knowledge of the what, the why, the where, the who, and the how.”

Aoife Harney, Senior Regulatory Consultant, Fenergo

Why is personal data so hard to find in the first place?

“When data flows into a large business, it could be used for any number of purposes,” explains Cillian Kieran, CEO of privacy software company Ethyca. That data might be used for marketing, for business intelligence, for product development, or for all sorts of other reasons. “Data is flowing throughout an organization in a myriad of ways the business doesn’t often fully see,” Kieran says.

To some degree, the current demand for privacy technology solutions may reflect the fact that laws requiring protection of data were passed just a bit before the regulated community had the know-how to comply with these new requirements.

Different software, of course, does different things. Some just focus on incident response to privacy, explains Michael Rasmussen, a pundit on governance, risk management, and compliance technology and founder/principal analyst for the research firm GRC 20/20 Research. Other software focuses on management of cookies, notices, and disclosures, he continues. Still other software provides a broader privacy platform, while some enterprise governance, risk, and compliance platforms “have modules that people leverage and use for privacy,” Rasmussen explains. Yes, it’s complicated.

Three types of privacy software

Generally, there are three categories of privacy software technology that serve varied functions, Kieran explains. The first involves more traditional program and workflow management tools. These products ostensibly are “privacy technology systems,” he says, “but their real function is to provide readiness assessments and workflow management frameworks, the kind of things that allow you to understand the current status of the organization and then provide you with workflows that various stakeholders and businesses can go through to achieve compliance.”

The second is “data discovery systems,” Kieran says. These products “make the identification of where personal information is in the organization faster” than a manual process involving various stakeholders in a firm. These speed up the process but are not foolproof. Some manual review is still necessary because data discovery systems “rely on machine learning and machine learning is an imperfect science,” Kieran maintains.

The third category focuses on “obligation management,” like data subject requests, Kieran says. “Retrieving and managing subject data requests is pretty labor intensive, so these systems effectively aggregate the process of ingesting the subject’s request, and then returning that data,” he explains.

Data privacy compliance isn’t easy given different jurisdictional definitions of personal data and varied requirements depending on how sensitive certain data happens to be (if, for instance, it involves a medical condition). “Legacy compliance solutions” are not “well equipped to deal with this new generation of compliance issues which are a function of how very complex systems handle data,” Kieran says.

What to look for

In contemplating privacy technology, look for “a solution that is highly engaging and intuitive to use,” Rasmussen suggests. It should, of course, also “cover the spectrum” of what an organization needs, he notes. As a practical matter, the first step of compliance where the EU’s General Data Protection Regulation or the soon-to-be-enacted California Consumer Privacy Act happen to apply “is to be able to document your data flows,” Rasmussen explains, referring to how European Union citizens’ or California citizens’ data comes into an organization, flows through it, and (possibly) is disposed.

“When data flows into a large business, it could be used for any number of purposes. Data is flowing throughout an organization in a myriad of ways the business doesn’t often fully see.”

Cillian Kieran, CEO, Ethyca

“A lot of the older technology solutions have you diagram those data flows,” Rasmussen acknowledges. Newer privacy technology “has business process modeling type capabilities built in,” he notes. That means a company “can document those data flows and manage them and even turn them into dashboards” that show risk issues and how privacy is built into the system, Rasmussen says.

“One of the most important aspects of any data protection program is having an in-depth and documented knowledge of the what, the why, the where, the who, and the how,” says Aoife Harney, a senior regulatory consultant at Fenergo.

In sum, an organization should know what data is collected, why it is required, where it is stored, who has access to it, and how it is collected and secured. “Being able to clearly see when a client’s personal data was collected, what legal basis is relied upon for that activity, who accesses that information, and when it’s appropriate to erase is incredibly useful to any organization,” Harney says.

“Don’t expect a ‘plug-and-play’ compliance solution,” cautions Conor Hogan, a senior manager of information governance at BSI Cybersecurity and Information Resilience. When choosing a privacy technology software vendor, consider whether the solution addresses the actual compliance challenge that you happen to have, he suggests. If it does, “consider licensing costs (one off, per user, per annum, etc.), scalability, and transferability for the global landscape of evolving privacy legislation,” Hogan says.

Should you go with a startup?

Some organizations that need help in this area might be reticent to sign with a startup privacy technology vendor for fear it may not exist in five years. But a startup may be achieving success because it has figured out how to do something well that more established operations haven’t. “Startups will usually have identified a reason to be a startup” such as a niche in the market or a problem that only they can fix, explains Hogan.

Going with a more established company “means you might have to make process changes or be forced to accept a rigid mechanism to achieve something,” Hogan says. Startups, on the other hand, “will likely offer more flexibility and customization and would usually be more open to suggestions from their early adopters.”