Privacy technology vendors have had plenty of success creating tools to tackle one component of the EU General Data Protection Regulation rather than the entirety of the law. Perhaps a vendor will focus on a handful of articles in order to create a specialized compliance tool that handles a specific aspect of the law really well, such as data subject access requests or privacy impact assessments.
SafeGuard Privacy CEO and Co-Founder Richy Glassberg and Executive Vice President, General Counsel and Co-Founder Wayne Matus wanted to create an offering they could truly call comprehensive. In order to do so, it was going to take a lot of work, and it wasn’t going to be easy.
“If we were building a platform for someone to manage their efforts, by definition, we have to be comprehensive,” Glassberg said. “I can’t be the general counsel of News Corp and be concerned about my risk as a company to these privacy regulations. To mitigate risk, you have to cover the entire law.”
It is what Glassberg and Matus say they have achieved with the SafeGuard Privacy platform, which consists of seven different modules to help organizations with their compliance efforts. The modules cover assessments, internal and external vendor reporting, customizable policy templates, compliance project management, auditing and alerts, employee trainings and “smart” document storage.
The modules covers all relevant issues for a company found in the 99 articles and 173 recitals within the GDPR. SafeGuard Privacy also has separate platforms covering the California Consumer Privacy Act and Nevada’s newly enacted privacy law.
Glassberg conducted a demo on a “right to be informed” assessment under the CCPA for Privacy Tech. Users answer questions such as where they collect personal information and whether they know the purpose of the data collected. The platform offers users the ability to learn about each portion of a given law as they answer different sections.
SafeGuard Privacy allows users to submit any documents via its “smart document storage” to help facilitate compliance activities. Glassberg said it is one way to have multiple teams involved in the proceedings to deliver any needed information. Should a user need information about a compliance activity, they can send messages through the platform to other individuals to get the answers they need to finish the task. Glassberg also touched upon the training materials provided through the platform. The SafeGuard Privacy team wrote all the training documents found within the platform, which can be delivered via PDF, Word document or PowerPoint. The platform also allows employees to take quizzes in order to demonstrate they understand all they need to about compliance obligations.
In order to cover a law as expansive as the GDPR, the team at SafeGuard had to devote a substantial amount of time to the platform. Glassberg said his team spent 10 to 11 months to create the content for the GDPR offering before the CCPA was passed. Their work resulted in GDPR assessments made up of 225 different questions. Glassberg acknowledged it was a heavy lift to add the level of detail they did for their platform; however, it will not deter them from taking the same tactic with future laws.
“That’s the DNA,” Glassberg said. “We have taken on the heavy lift of covering the entire regulation and with all of the privacy regulations. We are going to cover them the same way we covered GDPR.”
If “comprehensive” is the word Glassberg and Matus used most when talking about their platform, “accountability” easily finishes second. Matus said accountability is important for any organization that deals with the CCPA and GDPR. He added the platform was created to help organizations highlight their compliance efforts when regulators come through town.
“We enable someone to demonstrate where they are in their compliance. They know where they currently are and where they need to go,” Matus said. “If the [U.S. Federal Trade Commission or California Attorney General] comes knocking on the door and looks at your program, if you can say to them, ‘Yes, we are not compliant here, but it is on our road map, we knew about it and here are the steps to get in under control,’ you will be treated differently than if you are in chaos and the FTC sees you are not reporting.”
It also helped to fuel the internal and external audits provided by the platform, Glassberg said. Whenever an internal audit in particular is conducted, Glassberg said they wanted to provide results that clarified their global compliance status to a general counsel, chief information security officer, chief privacy officer and CEO.
One distinction Matus also pointed out was that SafeGuard does not aim to compete with other privacy technology vendors. In fact, Matus encourages organizations to buy other privacy solutions if they find an offering they like, adding his company is open to talking with other vendors about potential integrations with their platform.
Matus sees SafeGuard Privacy competing with law firms and consultancy groups that are not as efficient with their compliance assistance.
“This is not a competitive product,” Matus said. “Who do we compete against? If there is a law firm or a consultancy that is trying to spend as many hours as possible on a project, we are their competition. If you are a law firm or a consulting and you are looking to be very efficient with your client, we are your friend, and that’s where we have positioned ourselves in the marketplace.”
Photo courtesy of SafeGuard Privacy