Maximizing Your Privacy Software Investment

Privacy management software is a powerful tool that assists businesses with complying with complex privacy regulations. International and stateside privacy regulations require businesses to handle personal data in a responsible manner, honor consumer rights, make specific disclosures regarding data, protect the data, and much more. Software is available to assist businesses with:

  • Inventorying and mapping personal information
    • eDiscovery
    • Assessments
  • Managing and honoring consumer rights
  • Cookie consent requirements
  • Performing risk assessments and privacy impact assessments
  • Managing vendor risk
  • Privacy policy management
  • Incident and breach management
  • Consent management
  • Training

Software can streamline complex procedures and ensure they are completed in a consistent and repeatable fashion. Software solutions also assist with ensuring that the business has auditable records should an investigation arise. Automation can also be a huge benefit to implementing technology by saving time and allowing employees to focus on other initiatives.

Managing Privacy Software

While privacy software is an important piece of the puzzle, make sure you cover these pieces, which typically require input and management from people:

  1. Regulatory Applicability and Requirements: What are the business’s obligations, and with what is the software going to be relied upon to demonstrate compliance?
  2. Project Management and Implementation: It’s called a day job for a reason. Project managers and privacy experts will ensure responsible parties are identified and held accountable for their piece of the puzzle and that the right people are involved in the equation when implementing the software and overall program.
  3. Accuracy and Comprehensiveness: Does the software accurately capture the personal information processing activities, systems, applications, and data stores? This is typically achieved through ongoing support and thorough reviews of the inventory to ensure the program’s foundation does not have any cracks.
  4. Governance: The invoice for the privacy software isn’t going to cut it. Make sure the entire privacy program is documented, and formal policies exist. Policies need to include but are not limited to consumer privacy rights, cookies/trackers, PIA’s, lawful basis of processing, vendor onboarding, roles and scope of regulations, consent, etc. Privacy guidelines are essential in outlining what the requirements are and how the business complies with each requirement.
  5. Standard Operating Procedures: In order to honor rights, API calls and automation can be relied upon in many, but not all cases. Your CISO may also have something to say about the use of APIs, and some, if not all, of the rights may need to be honored through human intervention. Procedures and steps to honor the rights must be developed by working with the IT and application owners to create and document how responsible parties will actually roll up their sleeves and honor consumer rights. These SOPs can then be referenced to honor rights and used as part of the proof of compliance in conjunction with the software log records.
  6. Appropriate Technical and Security Controls: The software itself should be tested; however, we are talking broadly about the technical and security controls of the business. Ensure that the business can demonstrate that it is protecting the personal information sufficiently through proper encryption, access controls, regular testing of the security environment (vulnerability management program), anonymizing data where possible, etc.
  7. Custom Training: Privacy awareness is one thing and is often available off the shelf. Training that matches the business’s policies and procedures to comply is another and must be developed. Procedural training often surrounds but should not be limited to consumer access requests, privacy impact assessments, incident and breach response, cookie approvals and website updates (consent, privacy policy, trackers, etc.), data retention, and the process for vendor procurement.
  8. Audit: Businesses must measure and audit their program to ensure it is up to the test. People should build and manage a monitoring program to ensure the privacy program, including software, is operating effectively. This can be achieved through key performance indicators. Further, pressure test the privacy policy, consumer rights, meaningfulness and effectiveness of privacy impact assessments, and records of processing by auditing and ensuring the procedures are operating as expected and are aligned with the business’s obligations. The entire program should have an element of testing, reviewing results, and remediating deficiencies.
  9. Management: Regulations, personnel, systems, applications, vendors, and the personal information the business collects change. How does the software keep up? People must be tasked with keeping these solutions relevant and ensuring they evolve as the business and regulations do, or the software will languish and become a liability. There are three types of program management:
    1. Active Management: Real-time updates to inventories, systems, procedures, and policies. Example: A new marketing initiative is launched that requires the collection of additional personal information, processing activities, sharing, and vendors. The privacy policy is updated accordingly, the role of the vendor is determined (which drives obligations), consumer rights procedures are amended, including SOPs and technology workflows. This is a good fit for a fast-moving business that often adds vendors and data, and the exposure to risk is too great to wait.
    2. Passive Management: Time based updates to the program. Think quarterly or monthly audits of the program and making changes if necessary. This would be a good fit for a business that does not add vendors, systems, or new personal information very often, and is not receiving many consumer access requests.
    3. Inactive Management: Very seldom thought of or reviewed. This is the set-it-and-forget mentality. Do not fall into this trap. The investment has been made in the software license and establishment of the program, ensure it remains accurate.
  10. Business Decisions: Maybe we’ll get there one day with AI and its ability to make risk-based decisions surrounding your specific business, sector, and risk appetite. But in the meantime, human input will be required to ensure the business runs smoothly while also reducing risk surrounding privacy. These regulations and the risk surrounding them are a gray area, and businesses have different levels of resources, expertise, budget, and risk tolerance. People help ensure the privacy program is effective without breaking the business.

Privacy software is an important piece of the privacy puzzle. When implemented appropriately and maintained, it serves an important evidentiary role in compliance and guarantees a consistent approach towards complying with complex and often confusing regulations. When spun up as a silver bullet/quick fix and left to sit on the shelf, it becomes a liability for the business. Consumer privacy rights and disclosures can be inaccurate and insufficient, resulting in gaps in the privacy program and becoming evidence of neglect. Maintain the privacy software to reflect the actual data processing activities and requirements, and you will be in good shape. Do not think that will happen on its own without people and oversight. Don’t let the license fee become a legal liability; keep it updated.

Please reach out to us at: connect@compliancepoint.com if you have any questions about this article or how CompliancePoint can assist your organization with achieving privacy objectives.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.