The need for data privacy management is being driven by the growing number of regulations -- spurred on in a large part by Europe's General Data Protection Regulation (GDPR) legislation -- and by the understanding that privacy is a discipline, a posture an organization must take.
Often it is the compliance, the governance, the risk, or the legal department that is tasked with these things, and they start looking for capabilities in the markets for integrated risk management, universal content of preference management, subject rights, request automation, and vendor risk management.
The widespread use of clouds, both public and private, is adding more layers to the issue of data privacy management as organizations turn to data-driven approaches to privacy compliance and governance.
Ways to Approach Privacy
Bart Willemsen, Gartner VP Analyst, who focuses on all privacy-related challenges in an international context, explains that organizations approach their privacy program in a couple of stages.
“First, you must establish it, and that is where the most fundamental of both privacy management and data-centric capabilities are combined,” he says.
The typical combination includes mapping of risk, discovery of data, classification, recordkeeping, retention policies, and most importantly, all elements where it touches upon the interaction with the individual data subject.
“We call that the privacy user experience, which typically starts with transparency -- what you put in your notices, your statements, just-in-time messaging, adjusting the customer experience, storyline, the forks in the road that you architect there only to then offer choice,” he says. “That's where consent management and preference management comes in.”
As data privacy is a discipline that touches on several markets, organizations may have to look at multiple vendors offering their own solutions to different parts of data privacy management issues.
The consent management platform from Secure Privacy, for example, can automatically scan the organization's website and create a detailed report of all steps the company must take to make it GDPR or California Consumer Privacy Act (CCPA) compliant.
These are just two of the markets for which Secure Privacy has developed data privacy management solutions, in addition to Brazil, Thailand, and Canada.
Because of the international nature of contemporary business, Enza Iannopollo, a principal analyst on Forrester's security and risk team privacy management, says organizations should look for providers that offer solutions that satisfy cross-regulation requirements, with automation.
“The privacy market fundamentally is a very broad range of technologies, starting from the regulatory change management, all the way to fundamentally deploying the controls to affect the data,” she adds. “Newer providers, those that were created for privacy management specifically, are the ones who have had more success in the market.”
Among those vendors is OneTrust, which aims to become the “home of the privacy tech ecosystem” offering a range of use cases, including minor and contextual consent, capabilities bolstered by a string of acquisitions, and a large pool of active customers.
The company recently released a Certification Automation product that helps companies attain the new International Organization for Standardization (ISO) 27001:2022 certification.
This certification signals that they have defined and implemented processes across their information security management systems (ISMS) that align with industry best practices.
The solution is designed to help organizations more efficiently scope, assess, and generate evidence to prove compliance across ISO and adjacent security and privacy frameworks, while simplifying preparation for future third-party audits.
Privacy Compliance Management
BigID, meanwhile has increased its scope beyond privacy operationalization for enterprise clients to offer privacy compliance management aimed at small to medium-sized businesses (SMBs).
The company's approach is based off of automated data discovery, helping organizations gain visibility and insight into personal, sensitive, and enterprise data.
One of its more recent products is Hotspot Reporting, which gives organizations the power to visualize and remediate their riskiest data and help prioritize their biggest data vulnerabilities.
Native data deletion capabilities allow organizations to delete personal and sensitive data across their data stores from Snowflake and AWS S3 to mySQL, Google Drive or Teradata.
Securiti offers multi-cloud data protection, governance, and security, underpinned by machine learning capabilities for most of its modules, and boasts partnerships with Workday and Cisco.
The company recently debuted DataControls Cloud, offering a layer of unified data intelligence and controls across all major public clouds, data clouds, SaaS, and private clouds.
The e-discovery and information governance software company Exterro is focused on the legal challenges associated with IT and data, with a platform automating the interconnections of privacy, legal operations, digital investigations, cybersecurity response, compliance, and information governance.
“We see a lot of organizations thinking about privacy as having a basic privacy management software,” Iannopollo says. “Whenever I look at a vendor, the very first thing that I ask is always about the possibility to integrate their solutions with the rest of the organization.”
Options for Zero Privacy Expertise
The up-and-coming Osano is aimed at organizations that must achieve compliance with privacy regulations but may have zero privacy expertise.
The offerings are not as sophisticated as some of the more established players -- only discovery of structured data is supported, for example -- but a streamlined approach and support for some third-party risk management could make it an attractive option for those who need help managing a privacy program.
From the perspective of both Iannopollo and Willemsen, the data privacy concern for organizations is complex and multi-faceted, overlapping not only with security but also content management and preference management.
“It's impossible, to be honest, that one single piece of technology is going to provide you with all that you need,” Iannopollo adds. “Privacy is how your organization operates with data, and it is everywhere. So, it's very unlikely even thinking that there is a single software that is going to provide you with all the governance you need around data.”