Automating Data Protection and Privacy Compliance
According to the IAPP PrivacyTech Vendor Report 2018, there was a 386 per cent increase in the number of PrivacyTech vendors in the 12 months from when the GDPR was released in 2017, to its eventual enforcement in 2018. Impressive growth for a market three years ago hardly existed at all.
The market leader in PrivacyTech, currently boasts more than 2000 customers (as of Feb 2019) but in a market where it has been estimated that more than 75000 data protection officers will be required in organisations across the world to deal with the requirements of the GDPR this still only represents a potential 2.6 per cent market share globally.
Overall, the privacy landscape has improved, press attention is increasing, the numbers of privacy-related roles are at an all-time high and the recent spate of high-profile fines and intention notices against Facebook ($5B), British Airways (£183m), and Marriot (£99.2m) have certainly caught the attention of Board Directors and shareholders.
It would be fair to expect that a well-publicised increase in fines and enforcement action should equal an increase in budgets for privacy programmes and data governance as a whole, the reality is far different. Recent research conducted by Talend found that "74 per cent of the UK Organisations failed to address requests from individuals seeking to obtain a copy of their data within the one-month time limit required by the GDPR”.
With an apparent abundance of automation tools available, what is stopping companies from automating their journey to compliance, and what does the future hold for the PrivacyTech sector and privacy automation?
Firstly, it seems that the budget is still an issue. Privacy has taken centre stage in recent months and focus on compliance has increased, but this has not been immediately reflected in the budget process.
The challenge with selling a privacy program to a Board is that the benefits are still not widely understood, and there is no tangible benefit. You cannot see it, you cannot touch it, and it is very hard to demonstrate a return on investment unless there is a breach.
In the PrivacyTech sector, enterprise-wide privacy management is here to stay, but full-scale adoption is a long way from being the norm
Creating an effective privacy framework requires cultural change. A change that takes time and provides benefits that take are not always immediately apparent, and many organisations and indeed shareholders do not have the patience and expect instant results.
Automation costs money. To get an organisation to spend money, there must be a benefit, and for many, the benefits of automation are not yet visible.
The next stumbling block is ownership. As we have already seen with Facebook and Cambridge Analytica, Privacy is a cultural issue, and it affects the whole business. Despite this, privacy is still seen as compliance or legal problem, which can be handled as and when an issue arises, rather than as part of the fabric of the organisation.
Developing an effective privacy program is everyone’s responsibility.
It is no longer possible for multinational organisations to manage privacy compliance from a single department or team without additional support. Such support comes in the form of automation, but as we already know, automation costs money, money needs to be budgeted, and budgets need owners.
Until organisations can effectively understand the breadth and depth of an effective privacy program and assign ownership appropriately, it will continue to be a struggle to obtain the buy-in and ultimately the budget needed to attain the automation tools that are required.
The third and final sticking point in the quest for automation is the reliance on manual processes.
Given the immaturity of the PrivacyTech sector and the immediate urge for compliance in the run-up to May 2018, many organisations went for the only option available.
Some of the best-laid privacy programs are based on manual processes, supported by an abundance of Word, Excel, and SharePoint documents and managed by the very people who set them up.
We are creatures of habit, we like what we know, and we don't like the unknown, most established organisations also follow the age-old rule ‘if it is not broke, do not fix it'.
To achieve automation, organisations must first understand what they are already doing; they then need to rebuild these processes in an automated solution while still moving forward. A challenge that can only be likened to changing a car tyre, while driving down the motorway, in a country you have never driven in before.
The move to automation requires a move in the corporate mindset. Privacy and data protection as a whole needs to be viewed as a business benefit, not a business burden. When organisations accept that, then I think we will see greater and swifter adoption of automated privacy tech.
The benefits of automation, to me, are clear and given the recent levels of investment in the PrivacyTech sector, enterprise-wide privacy management is here to stay, but full-scale adoption is a long way from being the norm.