In recent years, the pace of privacy legislation has accelerated from a leisurely drive in the countryside to a mad dash on the Autobahn. The EU General Data Protection Regulation hit the scene in 2018, followed by the California Consumer Privacy Act, Brazil's General Data Protection Law and a slate of other laws around the world.
When serving as Merck's chief privacy officer, TrustArc Senior Vice President of Privacy Intelligence and General Counsel Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, started thinking about how to properly navigate this shifting landscape. She wanted to find a balance between leveraging an accountability-based approach to privacy management while also recognizing that a solid framework and policy-based approach may not help an organization handle the different nuances between privacy laws.
Wandall brought this idea to TrustArc, and now the technology vendor has brought forth a solution it hopes will bring about a paradigm shift in privacy tech.
TrustArc has released PrivacyCentral, an end-to-end privacy management solution. As information about an organization is entered into it, PrivacyCentral informs users which privacy laws it falls under via automation.
"It can start with a click, and by that, you can say, ‘I do business in California,’ and it will sort through all the laws that impact you and tell you, ‘Here’s what they are, and here’s how we prioritized them.’ You could say, ‘I do business in Brazil,’ and it adds that one," TrustArc CEO Chris Babel said. "With each additional piece of information you give it, it is running through the rules and algorithms against everything we have in the system to tell them, ‘Here’s what you need to do. Here’s how you need to do them, and here’s how to prioritize those efforts.’"
One algorithm powering PrivacyCentral monitors the applicability of laws based on the information provided by the organizations, such as where they conduct business, where their employees are located and their industry sector. The solution will then identify the laws an organization will likely far under and the ones it will not.
Another algorithm will help inform users about their progress in adhering to the privacy requirements. Wandall said this algorithm also calculates an organization's effectiveness with various compliance tasks, helping privacy professionals gauge whether they are ready to move forward with certain activities or if more work is required before progressing further.
"We spent years working through all these different pieces and all the different algorithms that needed to come together and to work across different kinds of laws," Wandall said. "It took a lot of work to figure that out. There was a lot of trial and error to see, 'We want to do it this way, and does this break the consistency,’ because it has to be consistent and repeatable and scalable, and no matter how you twist it, it has to be able to produce a consistent result."
Wandall said a big challenge in developing PrivacyCentral was figuring out how to make all of the components of the solution produce quick results, adding it took years of work to eventually figure out how to make it as efficient as possible. Because of that work, Wandall said it was easy for TrustArc to implement Virginia's Consumer Data Protection Act into the solution when it was signed into law earlier this month.
In developing PrivacyCentral, Wandall said TrustArc wanted to create a solution that was not strictly grounded in privacy, but one that contained frameworks that could be integrated with elements of governance, risk and compliance.
"It’s been my belief that privacy done well needs to be embedded in how a business operates," Wandall said. "In order to make that happen, you need to make sure that you are working effectively with other areas of governance, risk and compliance, IT management, trade secret management, all these different things around data. Privacy needs to fit well into there and it can’t be its own siloed thing."
"It’s been my belief that privacy done well needs to be embedded in how a business operates," Wandall said.
As more privacy laws arrive on the scene, Babel and Wandall hope PrivacyCentral can function as a game-changer for privacy professionals. Babel believes the solution could eventually usher in the next generation of privacy tech.
In what he called the "first generation" of privacy tech, Babel said the market only focused on a single law, eventually repeating the same process for the next piece of legislation that made waves. When privacy professionals would look to leverage systems for one law to help with another, they would find they couldn't as the tech was not built to do so.
"The privacy community doesn’t think that way, and it’s the same thing I saw in the security space. They didn’t think that way in 2000 either," Babel said. "The reason we are claiming this as a first is that you have an operational, in-technology, underlying framework that allows for common controls and enables you to leverage your work from one effort to another across as many as you want to put in there."
Babel sees the second generation of privacy tech moving away from individual tools to tech vendors providing more comprehensive solutions to the market. Babel said offerings such as PrivacyCentral can help privacy professionals make decisions faster, which, in turn, speeds up the value privacy teams can bring to their businesses to help them reach their objectives.
The next generation of privacy tech also has to be able to handle a surge of privacy laws that does not look to be slowing down any time soon, as well as other challenges organizations will face in the years ahead.
"Laws, I think, are going to explode, and if laws don’t explode and they only just grow a whole bunch, governments are finally figuring out (COVID-19) to a degree and that means regulators are going to explode on enforcement," Babel said. "Things are going to change for years, and the only way to be successful over the next five to 10 years is to think about how this ‘gen two’ set of needs are going to be met."
Photo by Markus Spiske on Unsplash
If you want to comment on this post, you need to login.