Technological innovation truly leaves no stone unturned. This time, technology has the privacy profession in its cross-hairs. Over the last several years a growing number of established and start-up technology companies have entered the market with promising privacy tools to address some of the more challenging privacy and data protection issues facing organizations today, from privacy impact assessments to automated inventories.
While today’s privacy leaders typically do not possess the technical know-how to adequately assess and implement a technical privacy solution, there is nevertheless plenty of reason to believe that privacy professionals can and will take the appropriate steps to succeed on this new terrain. A good first step in that direction will be to learn the ins and outs of conducting a proof of concept, which can test the efficacy and scalability of these promising technical privacy tools.
A POC is a small, controlled and targeted test to prove that a tool can, in fact, do what the technology companies claim it can do. With appropriate rigor, the POC process can serve as the privacy leader’s best friend by catalyzing buy-in from decision makers across an organization all the way up to the board.
To ensure that privacy leaders are maximizing the potential benefits of a POC, each of the following steps should be considered:
- Know the problem you want to solve: This seems obvious but it’s the most important step in planning a POC. Ask yourself what problem the tool is designed to address, and then consider the unique challenges your organization has with respect to that problem. This will lead you to a defined objective that is tailored to your organization’s specific challenges.
- Broaden the stakeholders, build partnerships, and make a stronger business case: Privacy tools may be designed to address specific data privacy requirements but they often have functionalities that can benefit other business units in your organization. For example, a privacy tool designed to identify personal data may also prove useful for other business units who have a need to identify intellectual property data or other types of non-personal information. Establishing strategic partnerships with other business units that can benefit from the tool’s implementation can significantly increase the chance of adoption.
- Don’t boil the ocean: Let’s assume that the objective of your POC is to test whether the vendor’s tool can effectively inventory your unstructured data. Remember, the POC is a small, controlled test that is generally short in duration and conducted with limited resources. You are not running a POC to develop a full inventory of your unstructured data. For example, the data may be in your SharePoint, in web-based repositories, data lakes or shared drives. Choose one of these repositories and if the test is a success you can broaden your scope to include additional repositories.
- Develop KPIs for your POC: Work with other business units within your organization to develop a set of key performance indicators that stakeholders can use to assess the tool's capabilities. Once the POC has been completed assess the tool’s performance against the KPIs. In many cases, the privacy tool will perform well on some indicators and not so well on others. Don’t fret; this is okay. It’s rare that any one tool can effectively meet each and every one of your KPIs in the short-term setting of a POC. Sit with your preferred vendor to discuss ways that can potentially enhance the performance of the tool.
- Understand your IT architecture: Understanding the complexities of your IT architecture is a critical step when planning your POC. An organization with a federated architecture will face considerably different implementation challenges than an organization with a flat architecture, even if looking to implement the same privacy tool for the same purpose. To add another layer of complexity, your organization may rely on third-party IT infrastructure (e.g., cloud service providers) which will require the POC to be conducted off-premises. In any event, your network setup will also influence the selection of your KPIs as you may need to place a greater emphasis on network challenges such as access rules when assessing the effectiveness of the POC.
- Information security in the POC: Ideally, the POC should be conducted in a non-production environment with test data. Alternatively, work with your information-security team to 1) explore ways of masking large amounts of data for testing purposes; 2) consider solutions like network fencing to prevent the privacy tool from negatively impacting the efficiency of your organization’s network operations; and 3) ensure that the POC will not lead to a violation of the privacy and security commitments that your organization has made to its data subjects. Lastly, be sure to require the vendor to sign an non-disclosure agreement prior to granting access to your IT environment.
- Budget: Prior to making a budget request for the next fiscal year, you need to understand both the direct costs (e.g., vendor fees, expenses, licensing fees) and indirect costs (e.g., FTE time to help with the POC) associated with the POC and eventual implementation of the privacy solution. This is probably the first time you are making a budgetary request for technology. Work with your IT or cyber partners within the organization to ensure that your request meets all of your immediate and long-term needs.
- Have a plan for what comes next: It is never too early to start developing a deployment plan for the privacy tool in the event that the POC proves a success. As you are planning for the POC give due consideration to the deployment plan. These plans can range from a one-time enterprise-wide deployment to a plan that would deploy the tool in one business unit and, over time, roll out the tool to other relevant business units. Whatever your plan, your decision will have impacts on the pricing, timing, and availability of resources that can assist in the implementation and the operationalization of the tool.
Equipped with the POC, the privacy profession is poised to take the leap into the brave new world of technical privacy solutions. But first, privacy professionals will have to put down their pens and paper, get out from behind their desks, and embrace the inevitable march of technical progress. It is your duty. And you might even save a few trees!
If you want to comment on this post, you need to login.