Privacy Tech solutions to enhance privacy compliance. Part 1.
In 2018, when GDPR triggered the massive paradigm shift of the importance of privacy compliance, most stakeholders at the market started with the so-called paper-based privacy compliance approach.
It was like “we will develop many policies and implement them”. Well, GDPR compliance is not just about having policies in place, it means that GDPR principles are embedded into the real-time scenarios and data is either well protected and the data subjects are in real control.
In 2023 we have a brave new market of privacy-tech solutions occurred and it feels like it is just the beginning, as more and more startups and tech companies bring their products to the table with the aim to help companies to comply with GDPR and other privacy laws, and, what is important – go beyond, and build trust with the customers.
So, let’s take a look at the privacy-tech market from the perspective of the DPO / Privacy chief or privacy advisor.
There are different types of privacy-tech solutions for different aims and the mission of a buyer here is to choose the ones that fit, and, what is even more important, try to make a perfect combination. Imagine it as a cocktail preparation. You have different ingredients and the person you prepare a cocktail for has own specific needs and expectations. So, let’s start.
Types of privacy-tech solutions to consider
- Data discovery and data mapping tools
You can’t manage personal data if you don’t understand what data you have and how it is processed. Sure, you can draw a map on the paper, or using some basic painting tools, but the thing is, that data processes are dynamic, so that, you need to keep that mapping up to date, also you have to keep actual the information about processing, talking with colleges, and inputting results to the system. So, how exactly privacy tech solutions may help us here?
- You may use data discovery tools in order to understand what data you actually have and how it is processed.
- You may use customer journey maps developing tools in order to determine the privacy touches with the data subjects and construct a true privacy journey for them
- You may combine the data from data mapping in general and the data about privacy touches to get the full picture
Benefits you get from such actions is better data governance, as now you understand what you are dealing with and how exactly your data subject is feeling, when he passes through all your cookie clicks, consents and privacy dedicated web-pages.
Well, let’s be honest, it’s possible to do all that stuff manually, in a spreadsheet or even on paper, but privacy tech solutions give us speed, adaptability, continuity here and possibility to manage the data in a more efficient way.
- Privacy-focused web-analytics
Most customer journeys in the context of providing some personal data to the merchant starts with a cookie banner on the web-site. Yet, many web-sites owners consider analytical cookies to be absolutely necessary and don’t give users the possibility to not get them on their devices.
Such status of analytical cookies is at least arguable and may be a case for a dispute. The reason is simple – different analytical tools get different data and it may be a lot of personal data processed easily.
Ask yourself – can you distinguish the users of your web-site one from another based on their ID, and, as a result – see the exact journey map, clicks, habits and so on? If the answer is yes, there should be a respective consent in this script and the user has to agree on collecting of such data, or, disagree. The point is, that such analytics solutions for sure don’t match with the word necessary, and as a result, using them without any respective legal basis may cause problems.
Hence, web-site owners still want to get information about users, who visit their web-site, but they may not need respective details about every user, they need the aggregated data – how many visitors were on the home page, for example.
When there is a need, the market opportunity is born, and, in this case privacy-focused web-analytics took the spot. The aim of using this kind of privacy-tech solution is getting data and insight without compromising the users privacy. Techniques that are used here may be different, for example – differential privacy, anonymization and aggregation of data.
- Consent management solutions
There are many strict requirements to the consent according to the GDPR and respective guidelines both from EDPB and local privacy authorities. Consent has to be freely given, informed and the data subject should be able to withdraw it as easily as it was provided.
Herewith, there is this accountability principle, so in case of dispute, the company has to be able to prove that the way consent was provided is 100% compliant with the GDPR. So, management, keeping the records of consents from the data subjects is not an easy task, specially, if one tries to perform it manually.
Herewith, now, in 2023 there are many privacy tech solutions to help companies deal with consent-related obligations.
One big point here to emphasize is that automation does not mean compliance. The volume of data, the UX and related texts are really important to prove that the consent, provided, even in the automated way is a relevant legal basis to process data in the respective case.
User-friendly design of consent and related menus and buttons may help in building user trust and show transparency. This type of privacy-tech solutions is crucial for the businesses that process a lot of data, for example, in saas projects, as in case of proper automation of the gdpr compliant process, it will be much easier to scale, when the numbers go really big.
- DSR management solutions
User requests usually trigger the real privacy processes in the companies. Like:
- Who is asking us? Is he a real person? can he prove it?
- What data does he want? Do we have it? why do we have it?
- He wants what? Do we really know such information about him?
And it goes on and on. In case, if the privacy compliance is rather declaration, then real, some DSAR may even trigger the investigation by the Data Protection Authority (DPA).
There are a lot of cases, when in the decision about penalties, DPA actually starts something like “the user asked the company about his data, and the company replied”, and this communication is precisely studied.
It’s true that good DSR management is based on privacy compliance, but this process itself is all about management. For sure, it’s possible to do it manually, but in this case, companies may face a lack of standardization, different replies from different support employees and different data subjects treated differently.
So, how may DSR management solutions help?
- contact points. DSR saas solutions may help in establishment of privacy touch points on your web-site / app, actually developing automated contact centers with respected UX buttons and so on. It’s a really user-friendly and data subject orientated approach.
Such a center may be located in the user’s personal web-account for example. In this case you will know that the DSR comes from the user (at least it should be so, as the user has already authorized) and such space may feel more secure for the data subject.
- automated script of getting information about the user on the specific type of request. For example, it may be DSAR or accuracy DSR. Data subject request solution may help with scripts of replies and filling the data from the privacy flow. Of course, human supervision should be in place, but automating this process may make it quicker, more efficient and less time-spending.
Thus, DSR privacy tech solutions may help with smart processing of the data subject requests.
5. Privacy compliance management platforms (PCMPs)
Privacy compliance is complicated and absence of some visualization often leads to the non-effective control under the privacy flows in the organization. You can not measure the risk, because you don’t know about it, because you actually don’t know about some data being processed, or, that some team members have not passed GDPR training and so on.
The main adventure of using PCMPs is a possibility to see a bigger picture, and, as a result, govern effectively. Imagine yourself as an architect or as a ruler of a big city. Different districts, traffic of cars constantly moving, some of them move across the streets of the city, some of them enter the city and move further. Some new cars appear and these flows never stop. Now try to consider each car as a personal data piece and different districts – as different departments in your organization. So, data comes through the “marketing gates” and goes to “financial districts” for providing and invoices.
The other benefit of using PCMPs is better reporting and control. As you see what is going on at a glance, you may define the respective key employees and privacy champions in the organization to report to you and “rule your privacy city” more effectively.
Of course, different privacy compliance management platform provide different types of dashboards and tools to use, but having such an instrument, which can be easily accessed and used testifies about the maturity of the organization.
What exact privacy tech solution should my company use?
Of course, here we took a look only at some types of privacy tech solutions and there is much more the market may offer the privacy officer. On the other hand, the buyer should be looking for a match – the tool has to satisfy the need.
For example, you may not need the DSR management solution, if you have only 10 requests per month, but the company, which operates a huge volume and types of personal data should take a look at data mapping and data inventory software for sure.
Finding, and what is more important – combining and implementing privacy tech solutions is a new challenge and its overcoming is really beneficial both for the company and its users. Don’t hesitate to contact our expert to guide you though possible privacy-tech options for your specific case.
Best.
