The EU General Data Protection Regulation is about to turn one, but even if privacy professionals feel an iota of comfort with the European rules, they will likely have to contend with the California Consumer Privacy Act and a litany of other laws around the world.
In order to help organizations in the ever-evolving privacy landscape, KPMG has released a suite of privacy apps to address different compliance requirements. These apps are designed for data subject rights, personal data breaches and privacy impact assessments, as well as a privacy help desk app and an inventory app that helps companies comply with the obligations set under Article 30 of the GDPR.
The data subject rights app helps organizations set up forms across their platforms and gives entities the ability to manage a request from beginning to end. The data breach app helps with risk assessments and communication with stakeholders when an incident is discovered in order for entities to meet the 72-hour GDPR breach-notification requirement. The privacy impact assessment app manages PIAs whenever changes are made to business products services and systems.
KPMG Global Privacy Advisory Lead Mark Thompson, CIPP/E, CIPM, CIPT, FIP, said apps are meant to work in tandem with one another. For example, the help desk app handles all privacy-related inquiries. Should someone ask about a data subject access requests or a breach, the help desk tool will reroute them to the appropriate KPMG application.
When asked whether companies have sought to purchase all the apps, Thompson said it has largely depended on the industry. Some KPMG clients have taken the entire suite, while others have picked a single app to address a particular need. He added app selection can even vary from sector to sector within an industry.
“In financial services, for example, a subject access request is a huge challenge for retail banking, whereas in investment banking it is not,” Thompson said. “You’ve got some clients who have a lot of challenges because of a high volume of employees and challenges around incidents. There is no definitive pattern. There are a lot of different industries and within industries, every single client is doing different things depending on their circumstances.”
For Thompson and Privacy Technology Delivery Lead Irfan Mukhtar, customization and integration are two major areas of focus for KPMG and its apps. Thompson said the apps can be integrated with more than 7,000 application programming interfaces, while Mukhtar adds KPMG helps entities with configuration and development. Mukhtar said the company can set up everything from email or single sign-on integration to web forms in more than 20 languages. Should more work need to be done, Mukthar notes KPMG sets up half-day workshops with clients if necessary.
“We got templates that we roll can out over the implementation, but clients, particularly the more complex clients, have real needs and the way the tool is designed is we can make those functional changes quite quickly,” Mukhtar said. “If they want functional changes or they want the application to work in different ways, we do that and do it with speed.”
Thompson calls the apps “regulation agnostic.” While the CCPA and GDPR have similar requirements, the details of those obligations differ between the two laws.
“The solution allows you to configure all of that and change the parameter to the U.S. market or the European market. It very much is a solution for privacy and not just the GDPR,” Thompson said. “We have had clients ask about CCPA. The market segment we serve are big global multinationals, so the CCPA is an issue, but so is the potential changes in Brazil and the upcoming regulations in lots of other markets.”
Global multinationals make up the primary core of KPMG’s clients, but Thompson said they do have small- to mid-market customers that want to use the basic functions of one of the apps. Regardless of who their customers are, Thompson said the feedback they have received about the apps has been positive.
Thompson said their clients tell them the apps work at an enterprise scale other solutions cannot offer. When asked why other entities cannot produce tools on a similar level, Thompson pointed to the in-house expertise within KPMG as a reason why he believes the company has been able to produce tools to help organizations that have to juggle a wide variety of regulations and technologies.
“When you get to multinational layer and the big global organizations, they’ve got loads of technology and solutions, and sometimes they’ll have solutions for the help desk, and sometimes they’ll have solutions for incident response,” Thompson said. “But being able to have something that will form part of the orchestration and have it work with things you’ve already have is really important.”