Finding technological solutions within the vendor management space is a hot topic these days, especially in light of the new EU-U.S. Privacy Shield agreement and the upcoming General Data Protection Regulation in the EU. A lot more liability, and potential for significant fines, will be placed on organizations, so ensuring vendors are in line with data protection obligations is gaining traction.

Last summer, Privacy Tech reported on one startup focused on offering companies an easy-to-read security assessment of vendors. With these vendor scorecards, organizations gain one more tool to assess the level of risk certain vendors can pose.

Other startups are also recognizing the need for technological solutions for burgeoning privacy obstacles and are stepping into the fold.

When Privacy Shield finally became a reality earlier this year, the folks at Whistic saw an opportunity to combine its existing vendor-mangement platform with the risk assessment needs brought out by Shield. The company provides an easy-to-use service designed to help companies interested in complying with Shield manage their vendor security risk assessments in a way that allows for easy team collaboration. The tool can also be tailored for those that were previously certified under the previous Safe Harbor regime, or for those starting from scratch. 

Whistic Co-founder and Chief Product Officer Andrew Watanabe provided Privacy Tech with an interactive demonstration of their new product. The interface is clean, the questions clear, and the dashboard filled with relevant information.

First, a company can fill out an online self-assessment tool free of charge to help create a readiness assessment model. 

The platform allows a privacy officer or project manager to assign certain questions to specific team members. Built in are options for setting due dates, assigning relevant questions, and following track changes. The tool also provides a way of holding those team members accountable for the accuracy of their answers.

Whistic then uses a proprietary algorithm to mine insights and discover compliance gaps for an organization. After completing the questionnaire, the participating company receives a report not dissimilar to a FICO credit score. This report presents a gap analysis for certifying under Shield.

After reviewing that gap analysis, companies can then decide whether they want Whistic to register them for Privacy Shield on their behalf. This is where Whistic generates revenue. Starting at $125 per month, companies can maintain their Shield registration through Whistic. Wantanabe said the company has talked closely with the U.S. Department of Commerce about filing on behalf of other companies.

For those going this far, Whistic also offers its customers the ability to create and confidentially share their own vendor profile with customers. This, they say, helps save time and reduces risk-assessment redundancies.  

Watanabe told Privacy Tech that they’re getting a lot of interest from a variety of companies, particularly in the EU. In the week-and-a-half preceding our interview late last month, Watanabe said they had approximately 60 registrants ranging from small startups to companies with more than 100,000 employees.

But, he said, they’re also seeing companies that are not concerned with Privacy Shield enforcement. He recounted a recent conversation with an employee at a small online retailer who said noncompliance with Shield did not come in very high on their risk register. “They don’t believe anyone is going to complain or that enforcement has enough teeth,” Wantanbe said, adding, for many, “it’s hard to understand what enforcement will look like.”

He also said they're working with a range of professionals within organizations, including privacy officers, legal counsel, HR managers, and for smaller startups, chief operating officers and executives. 

The catalyst for developing a Privacy Shield compliance tool came from several different angles, Wantanabe explained. "We thought this was an opportunity for us to expand our services and get ahead." Since Whistic is already in the risk-assessment game, expanding its platform to work for Privacy Shield was an easily achievable commitment. Whistic's technology was already geared for PCI DSS and ISO 27001 compliance, among others, so Wantanabe said they just needed to bring in expertise on Shield. And that's exactly what they did: months of reviewing the Shield documents and outside help from attorneys, and now Whistic's new tool is ready to go. 

"We think this solution provides real value," Wantanbe said. "We feel like we have a simple, clear, and easy way to help companies achieve compliance in this area."