How Privacy Tech Is Bought and Deployed

In May 2018, IAPP and TrustArc surveyed 328 privacy professionals around the globe and asked them a series of questions about each of 10 categories of privacy technology, as identified in the IAPP’s annual Privacy Tech Vendor Report. The results provide illuminating benchmarking data about what technology is truly in use versus what technology is still far from mainstream. Further, it is clear that certain technologies are truly the domain of the privacy office, while other tech that might be vital to a contemporary privacy program is generally handled by and operated out of the infosec or IT departments.

The survey produced a great deal of data, as disclosed in the full report, but the highlights include:

  • Those technologies with security applications and general enterprise use are clearly more mature and in-use than newer, privacy-office-specific technologies, but we see a clear wave of uptake coming.
  • The most likely new technologies to be adopted by privacy offices are Data Mapping and Flow, Personal Data Discovery, and Privacy Program Assessment/Management technologies, all of which are in the plans for future purchase by roughly a quarter of companies. 
  • Budget is the largest reported barrier to adoption, but larger firms, where budget is less of an issue, are not developing solutions in house, and are directionally less likely to say either lack of demonstrated need or immaturity of the technology are barriers. Essentially, if they’ve got budget, they’re in the market. But the largest firms, those with 25,000 or more employees, are not the largest adopters of privacy technology. Rather, it is those with 5,000 to 25,000 employees.
  • Of the 10 categories of technology, consent management tools are the least adopted by the market, and are not coming on strong. There is an indication that the market doesn’t find consent management as difficult or important as conventional wisdom would have you believe. Almost 60 percent of companies have no plans to invest in consent management tools. 
  • De-identification tools are also relatively niche, the second least likely to be adopted and not particularly on people’s radar. Only 42 percent of companies have purchased or plan to purchase this type of technology.
  • U.S. firms are more likely to have already operationalized Enterprise Privacy Management solutions, which are more likely to have security and other enterprise applications. EU/U.K. firms are more likely to have already invested in Privacy Program Management technologies, which are designed more specifically for the “privacy team.”
  • Larger companies are more likely to have privacy teams with budgets for technology, where smaller companies are more likely to have IT or infosec budgets that privacy must influence.
  • While some technologies are clearly the province of the infosec or IT teams in terms of budget authority, privacy has influence over purchasing the majority of the time for eight of the 10 categories of technology, and is involved nearly 40 percent of the time for both Networking Activity Monitoring and Secure Communications Technology.
  • While it may not be mainstream yet, there is clearly some momentum for consultants and law firms to use technology to help serve their clients and solid indication that this practice will grow in the near future. 

In this first-ever benchmarking of adoption of privacy tech, we now have a baseline for future charting of market growth. 

Click on the image to download pdf (1MB)

IAPP-TrustArc_Privacy-Tech-Report

Tags: