Buyer's remorse can be an absolute bummer.
You get tickets to a sporting event, and the home team gets crushed. The exercise equipment doesn't spur on a brand-new fitness regime. The new shirt you bought online doesn't quite look the way you thought it would.
For your average person, the worst that happens is you are out of some money and have a few unwanted memories. For privacy professionals, buyer's remorse can have much stricter consequences.
As privacy pros navigate the market looking for technology solutions to bolster their privacy practices, one poor decision could lead to spending money on an insufficient tool and potential fines for privacy law violations.
One of the most important compliance requirements is the fulfillment of data subject requests, and there is no shortage of vendors offering DSR technologies waiting to help. The latest iteration of the IAPP's "Privacy Tech Vendor Report" had 49 companies fall under the DSR category, and the number is almost assuredly going to rise.
That begs the question: What should privacy pros look for when vetting these vendors and their DSR products?
Before sending those emails and scheduling those demos, OneCyber at PwC Privacy Manager Jordan McClintick advises looking inward. When helping clients with DSR purchases, McClintick says buyers must identify the primary stakeholders who will define the requirements needed for the tool and any secondary stakeholders who will be tangentially connected to the inquires.
McClintick said he looks at the client's stack infrastructure and their online digital assets. A tool that makes sense for one company may be too complex and wholly unnecessary for another.
"For example, if you are an analytics company that is going to online advertising, you are going to need a very robust DSR tool that can scan out different personal data elements, things like device IDs, cookies and your advertisement IDs. There are very complex scanning requirements because you have a lot that needs to be mapped and linked through a complex and cloud-based environment," McClintick said. "As opposed to a mom-and-pop-type shop where they’ve got marketing that is email-based that’s easy and straight forward."
After the internal assessment is done, it's time to look at the tech vendors themselves and the features seen within their DSR tools. Before taking a plunge on a product, KPMG Global Privacy Advisory Lead Mark Thompson, CIPP/E, CIPM, CIPT, FIP, advises buyers to do their research into the vendor's financial health.
Companies may be able to flex successful funding rounds in a news release, but that is not a surefire metric of success. If a privacy professional invests in a piece of technology from the wrong vendor, Thompson warns they may end up with a tool that will likely never be updated and improved upon, either due to a lack of resources or from the vendor shuttering entirely.
Grainger Chief Privacy Officer Amy Albano, CIPP/US, said one attribute she looks for in DSR vendors is how well they set up their customers for success. For Albano, she does not want to invest in DSR tech where constant contact with the vendor is necessary to function.
"The vendors that proactively train their user base to do as much as they can on their own is really important," Albano said. "I can’t say it’s a showstopper, but if a vendor has that over a vendor that did not, I’m going to be very heavily weighted toward looking at how much can I control."
When looking through the tech vendor market, privacy professionals may consider buying an individual DSR module. McClintick said this is an option privacy pros can pursue, but a better buying decision would be to have the module be a part of a larger package.
"If you are just going to use it for the in-taking of a request, you probably got a (governance, risk management, and compliance) or ticketing solution currently in the company that can just as easily do it if you are only looking for a DSR platform," McClintick said. "If you look at the compliance program maturity as a whole, you need to look for something that has a suite. If you have data scanning for your DSRs, you can do that for your data mapping and your data inventory. If you are going to get a product that really streamlines your process for DSRs, it can also streamline for many other aspects of compliance."
Tech vendors often advertise many features in their DSR solutions, and it can be a challenge to figure out what is must-have and what is fluff.
Grainger Global Data Privacy Senior Manager Joel Blumenfeld said one of the key features a DSR needs to have is the ability to collaborate across the enterprise.
"With all of these new requests that are coming through, you may be reaching out to your marketing team, your HR team and lots of different stakeholders along the way, not to mention the requestor," Blumenfeld said. "With all these time constraints around these responses and with the internal stakeholders you have to work with, having cloud-based capabilities that you feel comfortable are secure and are able to facilitate those communications is really key."
Thompson pointed to record-keeping as a key feature to keep an eye on, as it is vital to track requests that have come in and the ones they have already been remedied. "That could be something as simple as a SharePoint site on one end of the spectrum, or it could be a more process-orchestrated tool to give you that record-keeping," Thompson said.
As a company-request volume increases, Thompson said companies should pay attention to tools with heightened levels of automation. Blumenfeld agrees with this assessment, but automation is a feature nearly every tech vendor claims to offer, and a little more digging may be in order.
When considering automation capabilities, Blumenfeld recommends looking at what the tech vendor is actually offering when they say their tool is "fully automated."
"I almost take that with a little bit of a grain of salt because you really have to do your due diligence to understand what [automation] means in the context or what you are trying to do," Blumenfeld said. "I think in almost every case you’ve got to take whatever automation capabilities the tool offers and operationalize them within your organization. You are going to have different technical environments and business processes, so it’s not automatic automation is actually going to work for you."
The tech buying process can be a long and taxing one, but a prevailing sentiment was shared by Thompson, McClintick, Blumenfeld and Albano, and it is one privacy professionals need to keep in the back of their minds: Privacy technology is not a cure-all, and it can only go as far the team putting it to use.
"You can have the best tool in the world, but if you don’t know how to operationalize it, it’s not going to respond to these requests," Blumenfeld said. "If you don’t have the right people and processes to support the technology, you are not going to be responding to these requests appropriately. You still got to have the privacy program in place to be able to use the tool. That being said, it’s a great way to make life easier."
Photo by Randall Bruder on Unsplash
If you want to comment on this post, you need to login.