Privacy Enhancing Technology: Demystifying Privacy Management Solutions
More organisations are looking at automated solutions to support the efficient management of their privacy programs. As you’d expect, the number of available privacy enhancing technologies has increased to meet the growing demand. Since 2017, the IAPP has tracked the exponential increase in privacy technology providers in its annual Privacy Tech Vendor report. In its inaugural report, 44 privacy tech vendors were identified. That number has ballooned out to 355 in the 2021 Privacy Tech Report (the 2021 IAPP Report).
Yet, this increase in choice hasn’t necessarily correlated with better privacy outcomes for organisations. The rapid increase in the number of privacy technology providers has made it more difficult to identify providers capable of meeting current and future organisational needs. This article is designed to act as a comprehensive guide to the benefits of privacy management solutions and how your organisation can choose the right privacy technology.
What is ‘privacy enhancing technology’ and privacy management software?
The term ‘privacy enhancing technology’, as defined by the European Union Agency for Cybersecurity (ENISA), is used to identify a wide range of technologies designed for the support of data minimisation, anonymisation and pseudonymisation, and other core privacy and data protection principles.
In the broadest sense, a privacy enhancing technology could be any one of many diverse technical methods or approaches taken to protect the privacy of personal information. In its simplest form, this could be the simple use of tape to mask a webcam, while complex cryptographic techniques exist at the other end of the spectrum.
Privacy Management Software
A sub-group of privacy enhancing technology is privacy management software. These are solutions that help organisations operationalise and manage their privacy programs.
Privacy management software perform an array of privacy-related tasks for organisations. In the 2021 IAPP Report, the product categories listed under the Privacy Program Management header are:
- Assessment managers, which automate different functions of a privacy program (like Privacy Impact Assessments).
- Consent managers.
- Data mapping tools.
- Data subject request solutions.
- Incident response solutions.
- Privacy information managers, which compile information about global privacy laws.
- Website scanning tools, which promote compliance with cookie laws and similar regulations.
Under the Enterprise Privacy Management header, the 2021 IAPP Report listed activity monitoring, data discovery, deidentification/pseudonymity, and enterprise communications solutions.
What’s driving the demand for privacy technologies?
Most larger enterprises have a confusing array of different technologies they use, build and connect to throughout their supply chain. When you add to this a rapidly evolving regulatory framework and an increased pressure to prioritise the protection of personal information and individual rights, it becomes clear that purpose-built software and automation are the way to go.
How do I find the right privacy technology for my business?
Before selecting a solution for your organisation, you need to look inward to establish and document your organisational needs. Doing so will allow you to select the right solution to genuinely reduce and manage risks associated with increased privacy regulation, data collection and dispersion, and data breaches.
Selecting the right tool for your organisation depends on several factors. Amongst other things, you should consider:
- the size of your business,
- the maturity of your privacy program, and
- the scope of your legal and regulatory obligations.
This can be a daunting task, particularly if you’re not sure of exactly what you are looking for.
Consider: Does your organisation need privacy technologies?
Privacy technologies offer a host of benefits to users, but it does not and cannot take the place of a thoughtfully developed privacy program, implemented and maintained by a strong team of privacy professionals. We strongly urge any organisation considering the implementation of a privacy technology to first query why it is needed. Is it to fill a gap in knowledge or personnel? If so, consult with a privacy specialist to ascertain what your real needs are. The reality is that, as it stands, privacy technologies aren’t a substitute for human judgement.
If you are certain that your organisation is looking at privacy technologies to streamline privacy management, you may reflect on the following factors when considering whether you need a privacy management solution:
- What do you want the system to achieve? There are many reasons for deciding to implement a privacy management solution. Selecting the right one will depend on what is your major requirement. Is it to have an effective risk management tool? Is it to help you maintain compliance records? Do you need an efficient way to undertake privacy impact assessments?
- Have you got the resources required to determine how the system will be used, to train people and document your processes? These may be internal or external resources but without them, the system will never be implemented or used properly.
- How will the privacy management solution work with other enterprise systems, for example, the systems used by your information security team, or the audit and risk functions?
- Are you ready to implement a privacy management solution? Specialist software programs may sound like the solution to your problems, but often they contribute problems of their own. Being clear about what you want the system to do for you and how the organisation will benefit from the solution, will help you confirm that you are ready for this initiative. Our experience is that in the long run, it is more beneficial to ensure you have robust and effective supporting processes and well-trained teams, before embarking on a privacy management software program implementation.
Evaluating privacy enhancing technology providers: Key questions to ask
A quick Google search for ‘privacy management software’ will yield hundreds of possible options to select from. Unfortunately, not all of the vendors are created equally. Some privacy tech providers are founded by individuals without much (or any) experience in the privacy field. Others have been developed following extensive research into privacy-related pain points and expert collaboration between tech developers and privacy pros.
Some of the questions to be asking when evaluating potential privacy management solutions include:
Will the privacy management solution facilitate compliance with different data privacy standards, laws and regulations?
Whatever your industry, chances are you will need to comply with internal standards and mandates, as well as local and possibly global privacy laws and regulations, such as the GDPR, the CCPA and an increasing number of other privacy regulations.
The solution you choose should guide you through your different obligations under each applicable law and regulation and allow you to manage risk and demonstrate compliance efficiently, whether by facilitating a timely response to a data subject access request, handling a data breach, or completing a privacy impact assessment.
Will the privacy management solution provide a clear and comprehensive view of the all the data your organisation processes?
The tool you choose should be able to locate and identify data flows and holdings across your network, hosting systems and applications, from all endpoints. Automated data discovery and classification capabilities may help overcome the limitations of the time-consuming, human error prone manual data classification process and enable easy re-classification for organisational changes and regulatory updates. Additionally, the solution you choose should offer on demand access to accurate reporting and analytics, presented in a way that clearly communicates the activity within your data environment and allows for swift responses in the event of a security incident or data breach.
Will the privacy enhancing technology be easy to implement and use?
No matter the number of features on offer, the value of privacy management software will never be fully realised if it cannot be easily integrated and configured to the needs of your organisation, or if specialist technical skills are needed in order to operate it.
The right solution for your business should result in time and resource savings, increase the efficiency and maturity of your privacy program and ultimately, make it easier for your organisation to meet its compliance obligations. However, these outcomes will often be within your own control.
Ease of implementation and use will depend on how well you have selected a technology to meet your organisational needs. If you plan the implementation properly, by identifying the objectives to be achieved by your privacy tech solution, rigorously reviewing the different options, making sure you have a compelling business case and a properly planned and resourced implementation program, then that should be the outcome.
How much will the privacy management solution cost?
It is often hard to work out the cost of a privacy management solution. They are typically sold by separate modules and the interaction of different modules can be difficult to identify until you’re well down your implementation path. Your budget should be linked to the identified benefits from the implementation and should also cover all on-going costs, as most solutions operate on a subscription model.
Choosing a privacy tech solution in a fast-growing market of providers is no easy feat. Not a purchase to be made impulsively, the right choice of technology requires a thorough understanding of the specific needs of your business. However, once you are equipped with the knowledge you need to make an informed decision, privacy management solutions can do much more than help you manage compliance and privacy risks. It can help you build a future-ready privacy team that is more efficient, resilient and prepared for the ever-changing privacy world.
How can we help?
Privacy 108 can work with you to understand and determine specific requirements, to help you choose the right privacy tech solution for your organisation.
Depending on the solution you choose, we can also help you implement your selected software and provide guidance and support, ensuring the benefits of your solution are optimised.
Privacy108 is a OneTrust Partner
OneTrust is an AI-driven privacy technology, the first privacy tech unicorn, and one of just two vendors that operates across all the categories identified in the 2021 IAPP report (and our paragraph above on Privacy Management Software). It has more than 10,000 customers, including half of the Fortune 500.
As a OneTrust Partner, Privacy108 can help you configure your OneTrust platform and create a bespoke solution that works for your organisational needs and obligations. We can help you to align your privacy program with your business processes and operationalise a solution that accelerates your path to compliance, whilst maximising your return on investment.
We have helped our clients leverage the capabilities of OneTrust, by creating robust and flexible forms, workflows and bespoke assessments that can be implemented to adapt to changing regulations and business needs, and which can be easily scaled as your operations expand and internal privacy practices mature. By creating centralised data inventories and controls that you can view easily from a dashboard and access on-demand to investigate and record activity, you can easily create thorough audit trails and reports to demonstrate your compliance.
Whether you have already implemented OneTrust, or you wish to start soon, we can help you create enduring value and get the most from the tool by building a customised solution for your organisation and optimising your implementation in accordance with legislation applicable to your organisation.