The EU General Data Protection Regulation has absolutely dominated most of my time here at the IAPP recently, and, chances are, if you are reading this those four letters are taking up a boatload of your time as well.
Nearly every piece I have written on privacy technology over the past couple of months has involved the EU General Data Protection Regulation in one way or another. Some of the pieces only focus on the GDPR tangentially.
Privacy professionals reviewing their privacy notices before the GDPR could use Polisis, a tool using artificial intelligence to visualize all of the data collection components of a company’s notice, to see if they are complying with the law. Digi.me is an app designed to be a data vault companies could use to show all of the information they have on a data subject.
For all the solutions where their GDPR compliance abilities are an added benefit, however, there are many solutions that were created specifically to help organizations handle different aspects of the new rules.
Anyone who has taken a look at the GDPR knows its scope is far too much for one solution to handle every single one of its numerous articles. Tech vendors have sought to focus on a single aspect of the GDPR, and take care of it to the best of their capabilities.
Data subject access rights solutions were among the most notable tools to spring up over the last few months.
TrustArc had released its Individual Rights Manager earlier this year to help entities tackle Articles 12 and 15-23 of the GDPR. TrustArc’s solution allows companies to put a link on their website to give users a chance to fill out a data request form. Once the subject fills it out, a “privacy analyst” within the company will use templates to determine the best action for the request, then come back with the data if the request is valid.
Another DSAR solution took the problem in a different direction, as Raptor Compliance’s software uses a more automated approach to data subject requests. After either new or existing users fill out a form to verify their identity, Raptor’s software searches throughout all of the company's databases to gather the subject’s information.
DSARs even have made their way to GitHub, as a group of four platforms joined forces to launch an open-sourced framework called OpenGDPR. The framework aims to allow data controllers and processors to better manage and track DSARs, and quickly became one of the most popular GDPR-related items on GitHub.
These companies created their solutions to address a part of the GDPR that had not been touched until the final few months before implementation.
“It’s more a reflection of the lifecycle of how quickly companies were able to respond to the GDPR once it hit, and then working through the different steps,” said TrustArc Senior Vice President of Marketing and Product Management Dave Deasy. “Since the deadline is not until May, there was no incentive to put your individual rights solution in place last year because you didn’t have to.”
While DSARs have made a big impact, data destruction requirements cannot be ignored either. Filerskeepers is a solution where companies can have data retention schedules from different countries around the world at their fingertips through excel spreadsheets. Having the spreadsheets delivered to a company is far more efficient than getting them from a lawyer, according to filerskeepers Founders Wanne Pemmelaar and Madeleine Vos.
TrustArc didn't stop with DSARs, either. A few months after releasing their Individual Rights Manager, the vendor came out with their GDPR Validation solution.
Created to tackle another under addressed problem in GDPR certification, TrustArc created the Validation solution to allow companies to display their GDPR compliance status, particularly to B2B customers. A company will fill out whether they meet 40 objective validation requirements, then, after being reviewed by a privacy professional, will receive a letter to show that they are working to comply with the rules.
Of course, not every vendor woke up one day and decided to create a GDPR tool. A couple of vendors took their existing solutions and reworked them to address the GDPR.
Parsons Behle Lab President Kimball D. Parker discussed how software used to help Utah citizens who were sued for tax debt was reconfigured to create GDPR IQ, a tool that uses automation to help generate all of the compliance documents organizations need to comply with the rules.
Users will answers questions ranging from as few as six to as many as 100 to get documents on policies and procedures, notice and consent forms, and records of processing for internal and external activities.
The team at PactSafe had been producing solutions to collect electronic signatures for a few years before they realized they could use their tools to gather and track consent under the GDPR.
It lead to the creation of their PactSafe Consent Management platform, where companies can see the consent status of every single data subject, as well as make changes to their privacy policies, and have them updated on every single page where that policy resides.
The GDPR has companies thinking toward the future, and that future may entail more joint partnerships. TrustArc CEO Chris Babel certainly believes that is the case, especially following the partnership it has entered with RADAR to help entities in their GDPR fight.
The companies’ platforms will have the ability to share information with one another in order to bolster their capabilities, while each company is using the other’s product in order to learn more about their partner’s specialty, while being able to better answer questions they could not have done otherwise.
When asked what the companies will do once May 25 comes and goes, a common answer would pop up: They'll wait and see what happens next. No one knows how the GDPR will be enforced, and companies will wait to see those first regulatory actions before making any changes to the way they conduct their work. The vendors that will rise after May 25 will likely follow suit.
Photo credit: Wearable Technology via photopin (license)