In London last November, Protiviti sponsored and spoke at the Data Protection World Forum. What was clear from speaking to the many delegates at the event was that many are now pausing for reflection, often after significant effort and investment to get compliant with the GDPR. They are now considering how they can continue to drive further remediation activities but also, importantly, how they can refine processes to become more efficient, including evaluating innovative technology options to support them.
The conference sponsors included many technology vendors presenting a variety of offerings, from end-to-end privacy governance platforms, eDiscovery and data management tools, to data mapping, consent management, CCTV editing and more. These vendors ranged from the large-scale eDiscovery platforms for highly regulated organisations, costing in excess of £1m, to small-scale providers, many of whom existed prior to the GDPR but who have adjusted their products or marketing to reflect the increased demand for GDPR tools.
No Silver Bullet
What is clear is that no technology solution alone will make an organisation GDPR compliant. In line with other recent regulations, such as the Senior Managers Regime within the financial services industry, which aims to address risk culture, the GDPR has sought to drive home the importance of embedding privacy into organisations through principles such as privacy by design and by default. While technology can help to facilitate this change, it will only be successful with equal focus on culture and risk management practices.
That said, technology plays an important role in helping organisations to drive greater efficiency in their processes. GDPR has led to new processes that many organisations just weren’t doing a year ago, such as data subject rights requests or data breach reporting.
Return on Investment
The first question that organisations need to consider is whether or not they have existing tools in place that can support them in their ongoing GDPR efforts. Existing cyber response systems may be adaptable to support the risk assessment and data breach response requirements. Similarly, existing workflow tools could be re-purposed to support data subject access requests.
However, many organisations subject to GDPR have not invested in these types of technologies previously, particularly in relation to data management and eDiscovery capabilities. In these instances, there are many tools available that could address their needs. Buying, rather than building your own, is often the preferable option.
Some vendors are looking to provide end-to-end solutions, covering the majority of privacy governance needs, whilst others are focusing on specific elements of privacy, such as consent management. In the case of consent management tools, these often originate from the marketing domain where consent has been an important issue for other regulations, such as PECR (Privacy and Electronics Communications Regulations). The most important consideration is to make sure that the tools selected meet your business requirements. These requirements may include cost but should also take into account the complexity of your needs.
As with any technology enablement, it is critical that organisations effectively evaluate their needs and buy the tools that address these needs. These needs will be driven by the realities of the business as much as the requirements of the GDPR. For example, the extent of an organisation’s global footprint and client base will drive whether it needs to consider emerging privacy laws in other jurisdictions, such as California, Brazil and Bahrain. The technologies selected will need to be flexible enough to support compliance activities beyond the GDPR.
Lastly, many of the products in the market which were developed to support the needs of the GDPR are still young products, developed by young companies. As a result, they are often not perfect and fully matured. To be successful in the market, vendors will need to acknowledge this and be open to communicating their development pipeline, work with their customers closely to identify new features and enhancements and deliver on those consistently and quickly.