The Evolving Relationship Between Privacy Pros and IT

Tech Solutions Emerging to Meet Increasing Regulation

Privacy and data protection have challenged organizations for decades, but with companies’ increasing reliance on data to drive business, the old, manual processes and ad hoc program management tools no longer cut the mustard. Chris Babel of TrustArc discusses the recent progress made in the adoption of automated tools.

Historically, most companies have addressed data protection and privacy compliance through a combination of legal and consulting services. However, three factors are changing this approach: many organizations now increasingly rely on data to drive their business; organizations employ cross-border business activities; and, finally, regulatory requirements for demonstrating ongoing compliance have increased in number and scope (e.g., GDPR). These changes have necessitated the purchase of technology solutions to enable privacy management systems that can scale and be operationalized more efficiently.

The ePrivacy Directive mandates in the European Union in 2002 spurred the growth of privacy-dedicated solutions for monitoring website trackers and managing cookie consent. Still, many companies continue to rely on manual processes and ad hoc tools to manage their programs. Recently, however, in part due to the complexity of complying with the EU General Data Protection Regulation (GDPR), we have seen an increased demand for technology tools to automate and scale privacy assessments and data mapping.

To understand the factors driving the increased adoption of technology solutions to manage privacy compliance, TrustArc, along with the International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, surveyed hundreds of organizational leaders about their implementations. The survey results highlight the types of technologies firms consider important. The findings also shine a light on the evolving relationship between privacy and IT and infosec teams.

Privacy Tech Adoption Approaching the Tipping Point

As a result of privacy mandates, such as the GDPR, organizations are searching for tools that help them account for how personal data is entering the organization, how it is being used, the permissions that are attached to it and who has responsibility for managing it. Eight of the 10 categories of technology tools the survey addressed are projected to see increased adoption rates based on purchase plans and top 50 percent adoption.

Currently, decision-makers believe the following technologies will help them best achieve these goals; more than 60 percent of respondents have already purchased or are planning to purchase solutions in the following categories:

• Network activity monitoring
• Secure enterprise communications
• Website scanning/cookie management
• Privacy program assessment/management

There is also a forming wave of technology adoption for a new breed of privacy solutions. At least 30 percent of respondents plan to purchase or have purchased, but not yet implemented tools including:

• Data mapping and flow
• Personal data discovery
• Privacy program assessment/management

The growth of these tools tells us that privacy-centric technology adoption is on the rise. Privacy program management tools that help operationalize new policies are in high demand today and in forward-looking product roadmaps. These facts underscore the mad scramble for solutions that can handle the rigors of GDPR and other regulatory requirements.

Purchase Decisions Don’t Always Align with Public Perception

While it appears companies more or less agree on the technologies that enable them to automate privacy assessment processes, there is not a consensus on who should pay for and manage those platforms.

The technologies organizations are evaluating fall under two primary categories. The first are privacy program management tools designed specifically for the needs of the privacy officer. These include assessment managers, consent managers and data mapping. An organization’s privacy department owns the purchase decision for these types of solutions. The second category of tools are enterprise privacy management solutions built with the needs of the entire organization in mind. These technologies include network activity monitoring, data discovery and enterprise communication. These purchase decisions typically fall under IT or infosec teams.

Though IT and infosec control the budgets for enterprise privacy management technologies, results from the survey show that privacy has influence and provides significant input on eight of the 10 categories of technology surveyed, including privacy program assessment, consent management and data mapping.

Privacy Has a Strong Influence on Purchase Decisions Across Most Product Categories

Regardless of which department’s budget covers a given technology solution, organizations’ privacy teams still have influence over many purchase decisions. For incident response solutions, 69 percent of respondents said privacy had input into the decision-making, even though IT budget was typically responsible for the purchase. Similarly, nearly three-quarters of respondents believe privacy teams have sway over the purchase of personal data discovery tools, despite the budget for such a purchase coming most often from IT. Part of this phenomenon is due to the increasing importance of privacy requirements. It’s also reflective of the size of the company. As an organization grows, the budget moves from IT and infosec into legal and privacy.

The Entire Organization Benefits from Privacy Technology

An organization is more likely to reap the benefits of a purchase if the entire organization can easily use the tool, no matter which department is responsible for the purchase. Organizations that plan to purchase and operationalize privacy technology solutions should prepare themselves for a widespread usership. More than three-quarters of respondents observe that privacy teams use data mapping and flow and personal data discovery tools. Forty-six and 41 percent, respectively, feel those tools are used by other teams within the organization. Privacy program assessment tools, which are both heavily used already and in future plans, are primarily used by the core privacy teams.

Forward-Looking Organizations Should Plan for Greater Privacy Focus

Second to lack of budget, respondents state that the largest barrier to purchase for any of these tools is inadequate internal resources for implementation. Organizations must develop processes and teams responsible for managing technology implementation even before devoting budget to those tools. Without the resources available to manage the purchase, implementation and usage process, the organization risks operationalizing technology that quickly falls out of use. Privacy standards are only proliferating and becoming stricter. Decision-makers should plan for the growth of privacy technology adoption ahead of time, lest their initiatives lead to missed compliance requirements.