Editor's note: Take the 2025 Governance Survey!
The fields of privacy, AI governance, cybersecurity law and digital responsibility are intersecting more than ever before. To help understand and serve these colliding disciplines, the IAPP is calling for participation in its annual Governance Survey. This iteration of the survey will broadly explore governance operations, staffing and resourcing across geographies and sectors.
This survey is for IAPP research purposes only. All responses will be strictly confidential, and you will never be contacted about your responses.
Organizations are increasingly dependent on third-party vendors for a wide range of services and technology solutions. Compliance technologies are one example of such solutions, and they encompass platforms, products or services that support organizations, wholly or in part, that automate efforts to meet regulatory and policy compliance requirements. While some may be built in-house the majority are procured from third-party vendors. Indeed, in the IAPP Privacy Governance Report 2024, we identified that almost nine in 10 respondents used a third-party vendor to support cookie consent, while eight in 10 used a third-party vendor to support third-party risk management, regulation tracking and data mapping.
This is no surprise when considering the need for organizations to adhere to a complex web of laws, regulations, and policies as well as the need to meet governmental, regulatory and consumer expectations. Compliance technologies can play a vital role in supporting organizations to manage these requirements and prevent compliance from becoming a barrier to meeting business objectives and ongoing innovation.
However, organizations may find that using third-party vendor tools is not always as simple as buying and plugging in an off-the-shelf solution. Organizations are likely to have to navigate several critical complexities to successfully procure and integrate third-party compliance technologies.
During the procurement process, organizations must first identify and select the right vendor to deliver the selected services. With a multitude of overlapping technology solutions offered by a variety of vendors, a deep understanding of the organization's specific needs and how potential solutions meet these needs is required. The absence of this risks organizations choosing a solution that may be either too narrow in scope, too broad as a complex governance, risk and compliance platform, lacking in scalability for future needs and business growth, and ultimately unable to support the organization in meeting regulatory and policy requirements.
The integration phase may also present several challenges. Ineffective data governance may hinder effective integration of tooling. The organization may have data silos that increase the challenge of connecting compliance related data to platforms, inaccurate data reducing the effectiveness of reporting, a lack of data ownership that impacts the speed of integration and a lack of documentation over existing infrastructure and legacy systems.
Complex application programing interfaces integration may present further challenges, with incompatible APIs leading to integration failures and limited functionality of the procured tooling solution. Factors such as rate limiting, data transfer restrictions and API functionality are likely to be key considerations as part of both the procurement and integration process.
Legacy systems may present its own unique set of challenges should these need to be integrated with the new compliance solution. Many legacy systems may use outdated technologies or proprietary data formats that do not readily integrate with the compliance solution potentially requiring costly modifications to off-the-shelf solutions or development of custom workarounds. The balance between using standardized tooling and customization of tooling to fit specific organizational needs may need to be assessed at the outset to reduce the likelihood of hidden costs further down the integration journey.
Switching from one vendor to another may add another layer of complexity with vendor dependence and lock in playing a key part of whether the organization can hold existing vendors to account. Barriers in data migration from one vendor to another may reduce likelihood of the organization switching solution providers in the future, perhaps even impacting the quality of service provided by some vendors post-integration.
Ultimately, the success of any new tool is dependent on employees and users adopting and using the tool as intended. Resistance to change, concerns over disruption to existing workflows, and/or a lack of understanding may add to resistance among users. Implementation of effective change management that addresses these concerns as well as offering targeted and tailored training may further support adoption of the third-party compliance tool.
Which of these challenges should organizations seek to address and what might be some potential solutions? In this year's Governance Survey, we’re looking for answers to those very questions. By combining these answers with demographic data from the survey we hope to answer how these challenges vary by organizations of different types and sizes as well as whether perceptions of budget sufficiency and compliance confidence impact the extent to which organizations face these challenges. We hope this offers you the opportunity to benchmark your organization's third-party compliance technology implementations against peer organizations.
Saz Kanthasamy, CIPP/E, CIPM, FIP, is the principal researcher, privacy management for the IAPP.
