Privacy regulations have appeared all over the world, and TrustArc Senior Vice President of Marketing and Product Management Dave Deasy, CIPM, finds all indicators show this current trend is unlikely to slow down any time soon.
As the requirements for these laws differ between countries and states, Deasy and TrustArc decided to create a new tool to help privacy professionals figure out under which laws they fall.
Within TrustArc’s Privacy Profile solution, privacy professionals answer questions about their organization. These inquiries range from where their company, employees and customers are located, the types of industries with which they work, and whether their target audience contains special categories of individuals, such as children.
Algorithms developed by TrustArc analyze the answers and map them against 12 different privacy laws, which include the EU General Data Protection Regulation, the California Consumer Privacy Act, the Brazilian General Data Protection Act and the U.S. Health Insurance Portability and Accountability Act.
After a privacy professional finishes the questionnaire, they are presented with a list of all the laws and regulations that are applicable to their organization. The findings can be seen either through TrustArc’s dashboard or via PDF. Privacy professionals can see the findings from a geographical perspective, which provides a visual view of applicable global laws. They can also see the results in a more traditional report, which shows bulletproof lists that state why the algorithm chose a particular law.
“The bullets could say, ‘because you got customers in Brazil, that’s why the Brazilian privacy law is applicable to you.’ Or ‘because you are in the health care industry and you collect and store sensitive health information, that’s likely why HIPAA is applicable to you,’” Deasy said. “They are meant to provide enough detail to give somebody a pretty good indicator of why it’s applicable, yet at the same time, we try to keep them short and simple. They are designed to be something that somebody can quickly scan and review.”
Deasy believes the two different methods to view the results will help highlight the importance of compliance when a privacy team interacts with the C-suite.
“I think both of those are going to go a long way to helping a privacy team inside a company raise the proper visibility to get the investments to address different laws and regulations,” said Deasy, who added the reports can also help a privacy team build a business case for investments in tools and technology, which would lead to an increased emphasis on automation to produce faster and more accurate work.
While the Privacy Profile currently focuses on 12 laws, Deasy said TrustArc plans to continuously update the solution over the next couple of months, with the goal of eventually having every applicable privacy law and standard in the system.
Since developments in privacy legislation are constantly evolving, TrustArc enlists its own privacy intelligence team, led by TrustArc Senior Vice President of Privacy Intelligence and General Counsel Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, to keep tabs on the burgeoning landscape.
The global team regularly reviews existing laws and regulations as changes occur, Deasy explains. The team breaks down and unpacks the laws and places them into individual components, which are then mapped into the organization’s own privacy governance framework.
“It makes it much easier to look at the laws and regulations in a consistent fashion because laws and regulations are getting written by many agencies across different countries, there are many different ways to say the same thing, and so sometimes these can get challenging,” Deasy said.
The work conducted by the privacy intelligence team has helped in the development of the Privacy Profile, as the individual components of each law are used to inform the questions privacy professionals see when filling out the profile.
It will also help determine which laws will be the next ones put into the solution. The solution will be updated based on when laws will go into effect, the number of companies that will be affected by a law, and by feedback from customers, Deasy notes. Outside of user feedback, the former two variables will be informed by the research from the privacy intelligence team.
Organizations around the world have started to keep an eye out for new and updated privacy laws and are aware of the risks they face for noncompliance. It is one of the reasons why Deasy believes the Privacy Profile can help entities keep themselves abreast of their legal obligations, not just to keep regulators happy, but for their own customers, as well.
“In order to continue to successfully do business with a lot of companies, you have to be able to show that you’re meeting the different laws and regulations and if you wait until the last minute and someone is asking you if you are compliant with XYZ, it’s probably already too late because it is often going to take three, six, nine, 12 months or more to put all the different things in place,” Deasy said.
Photo by Kyle Glenn on Unsplash