Risk assessment is a notable piece of the privacy compliance puzzle, and organizations have sought to tackle it and other requirements with the help of privacy technology solutions. Helping companies with those tasks does not mean privacy tech vendors are exempt from risks themselves, as they have entered an industry that operates differently than others.
"It makes this a little more challenging than the typical business where you roll something out, people like it and they use it and the downside is they watch my entertainment or they don’t," Future of Privacy Forum CEO Jules Polonetsky, CIPP/US, said during a panel session at The Rise of Privacy Tech Virtual Summit. "Here, you are rolling out infrastructure that if misused, not developed properly, and not in sync with the latest guidance creates a lot of legal risk for the users and perhaps the builders."
Privacy technology vendors can design their solutions to handle plenty of compliance requirements, but TrustArc Senior Vice President of Privacy Intelligence and General Counsel Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, said those tools cannot offer legal advice.
Wandall added privacy tech vendors must be cautious when designing their solutions to ensure what they offer can be classified as guidelines and recommendations and that it does not cross the line into legal advice.
"Something we’ve spent a lot of time on is designing rules and algorithms to look at metadata to determine the likelihood that a particular law or certain components of the law will apply," Wandall said. "But you need to make sure in doing so you are not coming up against the unintended provision of legal advice or purporting to do so."
Okta Senior Corporate Counsel of Product and Privacy Fatima Khan, CIPP/US, CIPM, pointed to a similar trend that has popped up in the privacy tech market. Khan advises buyers to be cautious of any tech vendor that claims to "solve" privacy laws, such as the EU General Data Protection Regulation or California Consumer Privacy Act.
Khan said those that take the bait on such claims are the ones whose commitment to privacy is lacking.
"It’s definitely geared toward more unsophisticated buyers that are just trying to solve for some problem they know they have and to a checkbox," Khan said. "What would be powerful instead would be to build these products so that there is a lot of choice and configuration availability built-in, so whoever is implementing that product in-house or configuring it can then figure out how to implement it in a scalable way that will hit all of the nuances that different laws need to hit."
Khan does not see many tech vendors offering such built-in features in their offerings, instead opting to only focus on small sections of GDPR and CCPA compliance. Khan believes the ideal situation would be for organizations to implement tech solutions that align with their privacy programs, which she said has been successful for vendors in the security industry.
Another example of privacy tech vendor risk involves data discovery and mapping solutions. Wandall said these tools often touch the data they are searching for, and it is important to know exactly what happens when the technology and the information interact.
"They may be touching it in a way that doesn’t actually render it in an identifiable form, but I’ve seen many that do produce data that is identifiable," Wandall said. "In helping to solve a privacy problem, you are actually creating a privacy problem."
To avoid future privacy problems, Wandell said tech vendors should design their offerings with core privacy-by-design principles and to inform the engineers who work with these tools that the use of personal information will always trigger privacy requirements.
Privacy laws will continue to be passed and refined as the years go on. Intuit Chief Privacy Officer Andy Roth said privacy veterans have been skeptical about the prospects of a U.S. privacy law, but they should pay attention to the which way the winds are blowing.
Just because a federal privacy law may be years away does not mean organizations should not consider privacy tech to prepare them for what lies ahead. Roth said Intuit has built its solutions in-house and focused on trends rather than approved legislative text.
"There is a business imperative to do these things. You have to be building data subject rights machinery. You have to be doing things now irrespective of whether a law is driving you to it," Roth said. "I think the privacy pitfall could be getting caught up in the esoteric nature of privacy law instead of thinking directionally that we are moving to GDPR-like accountability framework for the world."
The relationship between privacy tech vendors and their customers will continue to evolve as the industry changes, as well. Regardless of the bills that become laws and technological advances that are made, every player in the privacy industry will have to confront their own level of risk.
If you want to comment on this post, you need to login.