With privacy and data protection legislation proliferating globally, organisations need a versatile and intuitive solution to solve their compliance challenges. With the right partner, this can be done seamlessly integrating with your organisation’s configuration management data base (CMDB).
A data privacy management solution is vital to comply with regulations. This guide is designed to help you choose the best one for your organisation whether you need: CCPA Compliance Software, GDPR Compliance Software, LGPD Compliance Software, KVKK Compliance Software or you are just preparing for upcoming regulation. Laws change frequently so a dynamic solution is vital.
One question organisations ask themselves is whether they should build something or buy something from a third party. Building is great but provides challenges like satisfying regulatory requirements in a constantly evolving environment, along with, of course, having the technical ability to deliver. Your organisation might benefit from having the support of an experienced third party. This Buyer’s Guide is intended to help Data Protection Officers (DPOs) and Information Technology (IT) Managers decide where to invest to meet privacy and data protection compliance challenges.
Where to Start
One of the first considerations for organisations to identify are the gaps that purchasing a privacy technology will fill. It is important for organisations to think about the totality of challenges from the outset and have some clear understanding on the technical and functional requirements of your organisation.
Privacy Management Tool Demos are especially important. By the time you are conducting a demo, you have researched the product. When arranging the demo keep in mind the key stakeholders from privacy, legal, compliance and the IT teams that should be present..
Other issues to consider surround usability. The product must be intuitive for both technical and non-technical employees. Also, worth noting is the out-of-the-box product and the level of customization that a vendor can provide. Implementation involves a lot of back and forth, it is a real partnership between the vendor and customer. It is worth noting that for those with minimal customization needs you will achieve a lower price point than for those who want a solution that is designed to fit their business.
Lastly, implementation and training. It is likely that individuals across teams will be using the privacy tool(s) and so it is necessary to align and train other teams. Internal teams will need to learn the language of the privacy tool as well, especially in international organisations, diversity requires simplicity and the language should match this.
Once a vendor is up and running it is important to create a culture that values privacy. This will encourage users to learn and understand the tool to achieve organisational goals. The way to create a culture around privacy is to blend it into existing company values translating the tool into the existing infrastructure both abstractly and concretely.
Use technology as an accelerator, but don’t get trapped by its’ limitations. Bring in an implementation partner that knows about data protection, not just about technology.Alberto Quesada, Global Head of Group Data Management, BNP Paribas at Privsec London 2020
What should you use a privacy management tool for?
A privacy tool should help manage your data lifecycle from cradle to grave. Within this cycle organisations should embed moments of feedback and identify gaps. Communicating this with the vendor encourages continuous feedback and improvement. It is not uncommon for a solution to have defects post-launch, while you obviously need to do everything to minimise this possibility, don’t worry too much if they are not critical. The defects can be fixed and you move on. To give you piece of mind make sure that your vendor can walk the walk with their support after a sale.
While requirements will vary by jurisdiction, the GDPR is often baseline for most organisations. Using the GDPR as a baseline, here are some general things to consider when evaluating a data privacy solution for your organisation include:
Check out our Free GDPR Compliance Checklist
- Consent Management
- Helps organisations collect, track, demonstrate and manage users’ consent
- Mapping data flows and Data Discovery Tools
- Helps organisations determine data flows throughout the enterprise
- Record of Processing Activity (GDPR: Article 30)
- Helps organisations comply with GDPR by documenting ROPAs
- Data Subject Requests (GDPR: Article 15-22)
- Helps organisations facilitate and respond to inquired by individuals exercising their rights including the right to access, correct, portability and deletion
- Incident Response (GDPR: Article 33, 34)
- Helps organisations respond to a data breach by providing information to the relevant stakeholders including the supervisory authority and the data subject
- Assessment Manager (LIA (Legitimate Interest Assessments), DPIA Article 35, Transfer Impact Assessment)
- Helps organisations conduct Data Protection Impact Assessment and Transfer Impact Assessment locating risk and keeping records to demonstrate compliance
- Deletion/Deidentification Process
- Helps organisations comply with retention limitations while building datasets without compromising privacy and compliance
- Regular Updates in line with Regulation change
To process data under GDPR you need a legal basis for doing so. There are six legal bases. Under GDPR, one of those is consent.
(GDPR: Recital 32) “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”
(GDPR: Recital 42) Where processing is based on the data subject’s consent, the organisation should be able to demonstrate that consent has been given.
Look for a Consent Management tool that collects, tracks, demonstrates and manage users’ consent. A privacy solution should make it easy to automate preferences and update consent changes.
Mapping data flows and Data Discovery Tools
Data mapping and data discovery provide several benefits for organisations. For one, it allows an organisation to find data on a particular data subject and comply with Data Subject Requests (DSR). In addition, knowing where your data is and who you collect data on provides the answer to what regulations your organisation must comply with.
Look for a privacy tool that enables data mapping and data discovery. The tool should allow you to identify where data is collected in your organisation and what jurisdiction this corresponds to. The tool should also allow you to identify where data is processed, what types of data categories and data subjects are involved.
Data Mapping and Discovery tools should support:
- Regulatory Reporting
- DPIA integration
- Data Subject Access Requests
- Data Breach Response
- Full business intelligence visualisation
- API to other systems
- Determining who has access to what data and when it is being processed
- Managing Processing Activities
Record of Processing Activity (GDPR: Article 30)
If the data subject is located in the EU, the GDPR requires an organisation to keep a Record of Processing Activities (ROPA). This is a high priority capability that all privacy tools must contain. The privacy tool should track the language of the GDPR and record:
- The name and contact details of the controller;
- The purposes of the processing;
- A description of the categories of data subjects and personal data;
- The categories of recipients of personal data;
- Transfers of personal data to a third country including what third country and the documentation of suitable safeguards;
- The time limit for erasure of the data;
- A general description of the technical and organisational security measures
Data Subject Requests (GDPR: Article 15-22)
Data Subject Requests (DSRs) present challenges for organisations subject to the General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA). Both regulations give data subjects new rights including the right to access, correct, restrict processing, and have their data deleted.
Organisations that struggle often have trouble locating unstructured personal data. This is the most challenging aspect of fulfilling requests and results in inabilities to fulfil as many requests as other organisations or it takes longer to complete requests.
Often organisations do not have a dedicated team or process to deal with inquiries. The issue is further complicated by organisational size. Larger organisations often collect larger amounts of data.
Organisations must be able to respond in a timely manner, within 30 days for GDPR and 45 days for CCPA and include the requested information. This means organisations must be able to tunnel through their treasure trove of data to find matching profiles. This highlights the importance of additional offerings like data discovery and data mapping.
While organisations need to respond to requests in a timely manner, they must make it easy for a data subject to make a request in the first place and have processes in place to verify identification of the data subject making the request.
CTA: How this organisation saved 8 hours per DSR request
Incident Response (GDPR: Article 33, 34)
The privacy tool should include recording documents that support a notification of a data breach to the supervisory authority and the data subjects. The tool should record when the data breach occurred and prompt a timeline to notify the supervisory authority within 72 hours. Data subject should also be notified if there is a high risk to their rights and freedoms. Ideally this would be linked from the DPIA.
The privacy tool should record:
- The natural of the personal data breach including the number of data subjects concerned and the categories of the personal data records;
- Communicate the name and contact details of the data protection officer;
- Describe the likely consequences of the personal data breach; and
- Mitigating steps taken to reduce adverse effects of the data breach.
Assessment Manager (LIA, DPIA Article 35, Transfer Impact Assessment)
A traditional privacy impact assessment is a risk assessment conducted on a new or enhanced processing of personal data to identify attributes of risk and mitigation strategies.
Under the GDPR, this is conducting a Data Protection Impact Assessment (DPIA). A DPIA is required in instances where the processing of personal data poses a high risk to the rights and freedoms of the data subject. The risk of non-compliance by 3rd party processors should be kept in mind as well as the risk of data breaches.
The GDPR requires several assessments on the processing of data. Another relates to the legal basis for processing the data. If your organisation processes data per legitimate interest, an assessment must be made weighing the organisation’s purposes for the processing against the rights and freedoms of the data subject considering the data subject’s expectations that data will be processed for the purpose given by the organisation. This assessment can be linked to the DPIA as the questions on the legitimacy of the processing consider similar questions.
A Transfer Impact Assessment relates to transferring data to a third country. GDPR requires that the country where the data is transferred offers essentially equivalent protection of the data and the data subject rights. The legal basis for the transfer can be adequacy or the implementation of additional safeguards. The privacy tool should offer and record the legal basis for the data transfer as well as documenting the assessment of the third countries laws and whether any additional safeguards were implemented.
Look for a privacy tool that allows your organisation to demonstrate and record the assessment for each LIA, DPIA, Transfer. The privacy tool should:
- Automatically identify high risk activities considering local black and whitelists
- Detail approval process with timeline and assignability
- Contain a set list of questions that measure threshold of risk activity including inherent and residual risk
Ideally, the privacy tool will manage your data lifecycle from cradle to grave. This includes deleting the data. The GDPR envisions the collection of data for a particular purpose over a particularly defined period of time. After this time has passed the purpose of the data processing has been satisfied, the data must be deleted.
Deleting data means deleting potential value. To solve this challenge innovative new tools have developed including anonymizing data or creating synthetic data. This ensures organisations continue to generate value from the data they have collected even after it has been deleted. Being able to analyse data over time is key to forecasting and setting organisational expectations.
The privacy tool should:
- Discover all subject data throughout an organisation’s CMDB
- Satisfy data subject deletion requests
- Allow for restriction of processing activities when prompted by DSR
- Correct data
Regular Updates in line with Regulation change
The vendor should release updates at regular intervals to fix, update, and patch the system. This includes integrating changes to regulations. Privacy is a rapidly evolving industry, and your vendor should keep up with changes.
The privacy technology market is booming to match the proliferation of privacy regulations. This brings with it many potential solutions for organisations. Vendor options increase every year, which makes shifting through them a challenge. Before you purchase anything, be sure to understand your business processes, have a data governance strategy in place first, and identify the gaps you need addressed and prioritise them.
Explore the relationship with the vendor. Dialogue around feedback, patching and future needs is necessary, but customers should be willing to be challenged by a vendor’s solutions. The vendor should have a background knowledge of the regulation and how to solve these challenges. In part this relationship will rely on trust.
Finally, test drive the product first and use colleagues from teams that will use the privacy tool. This should include privacy, legal, IT, and compliance teams. Implementing a product will take time. Chart out a timeline with key dates for implementation.
Some final questions to ask:
- How many vendors can support your organisation’s needs?
- How long will they be in business? Often start-ups face challenges in getting resources.
- What is the vendor’s road map for the next six months to year?
- Will using a privacy tech vendor introduce more risk and liability to the company? Make sure the product is good and does what the sales team promises.