Since she joined the company in 2016, TrustArc Senior Vice President of Privacy Intelligence and General Counsel Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, said she has been focused on methods to manage risk more effectively.
As the years went on, TrustArc continued to refine its risk algorithm and incorporate it into its platform. Now, the company has launched an expansion of its Privacy Management Platform designed to automate privacy and data risk across an entire organization.
"What we are launching is a full-scale approach to enterprise risk around data, privacy and third parties," Wandall said. "An organization can start with something as simple as an analytics project it's doing for the launch of an app. As soon as they put that record into the system, the risk algorithm runs on it automatically and determines, depending on wherever it’s happening in the world, what the specific high-risk factors are and whether you need to do a (privacy impact assessment) or a (data protection impact assessment)."
Wandall said TrustArc's acquisition of Nymity is one of the forces behind the platform's new capabilities, and Nymity's privacy management accountability framework and its library of research have been helpful resources. This was instrumental in helping get the launch off the ground sooner than the company originally expected.
"We already had the designs of this," Wandall said. "It would have taken longer for us had we not acquired Nymity. "It really helped drive things forward rapidly. The acquisition of Nymity was very strategic to help accelerate and really drive our product strategy. This is one of our first implementations to show the value of that acquisition."
The new capabilities, which are delivered through TrustArc's Risk Profile tool, analyze data processing activities against 1,796 rules found in 130 different privacy laws across the globe to determine whether they are high risk. Since privacy laws differ from country to country, Wandall said the enhanced platform can help privacy professionals pull out the necessary details needed to assess risk.
"For example, Israel and Korea have some unique requirements around the number of records and the sensitivity of the data, which are quite different from some of the requirements you might see in specific countries in the EU or in Canada," she said. "We look at those factors differently depending on where the data actually is hosted and the kind of people whose data is being processed."
For its assessments of third parties, TrustArc's platform will distinguish different vendors based on their level of risk. Wandall said TrustArc focused on service provider rules under the California Consumer Privacy Act, as some companies are concerned about sharing data with third parties that may constitute a sale.
TrustArc can perform the assessments by leveraging automation. Wandall said automation is not only important for the enhanced capabilities of TrustArc's platform, but also for the entire privacy industry.
Organizations are collecting data faster than ever before, and they have to balance that speed with an ever-changing privacy regulatory landscape. Wandall believes it is impossible for any organization to keep up with such an environment without automation.
"You can make a simple business decision, and that triggers off a domino effect of 10 or 20 different changes that you have to address in your organizations," Wandall said. "Without automation, you need huge amounts of people to stay on top of that, and nobody has the bandwidth to be able to do that very effectively except the absolute largest enterprises and even if they do, this is just far more efficient."
The new capabilities in TrustArc's platform also allow privacy professionals to deliver faster risk assessments at the enterprise level to senior leadership and stakeholders, according to Wandall. It is yet another reason automation can lighten the load for privacy professionals and why manual assessments do not cut it anymore.
"You really need tools to help you understand all of what you are responsible for, to be able to evaluate that quickly, take the evaluation and analyses that you’ve done, share them with the right stakeholders in the organization and rapidly get their feedback and to make sure senior leaders in the organizations are able to make informed decisions about how they want to use data or make business decisions," Wandall said. "You just can’t do that if you are trying to hire lots of people to weed through things manually.
"I feel that privacy automation is absolutely essential to being a good privacy professional."
Image courtesy of TrustArc
