Most companies today have oceans of data they handle on a regular basis, and chances are there’s much more beyond the surface they may not even be aware of. It’s this hidden data and the “gray areas” that often lead to incidences, and it’s where privacy legislation is taking direct aim.
While legislation and privacy crackdowns are great for consumers, it has put an increased strain on organizations to maintain compliance and provide customers tools to easily manage individual rights and consent, and make data requests. To help manage it, many have turned to data privacy rights management solutions to do the heavy lifting. These solutions can maintain compliance, keep pace with ever-evolving privacy laws and automate consumers’ requests for access, deletion, correction and ‘Do Not Sell’.
But, not all solutions are created equal. To choose the right one for your organization, here are four tips to consider:
Tip 1: Start with the Right People
Depending on your industry, location and the type of personal data in your system, your company may be subject to General Data Protection Regulation (GDPR), one of the state privacy laws (California, Colorado, Virginia, Utah, etc.), Health Insurance Portability and Accountability Act (HIPAA), or other such privacy laws. Each has its own criteria and requirements and it’s imperative to know which your company is subject to and how to meet full compliance.
For instance, under GDPR, companies are required to appoint a data protection officer (DPO) to manage data privacy. But even for companies that don’t fall under the purview of GDPR, it’s still wise to designate an individual or small team committed to overseeing the data privacy strategy. This could be someone from a particular business unit such as IT, your vendor management office, legal department, security group or some combination of key stakeholders. Teams must work collaboratively to assess compliance requirements and vendor solutions.
Tip 2: Ask the Right Question
As you or your designated team is determining what you want and need in a solution, ask the following questions:
- What are your current data protection needs, and how do you expect them to evolve? The immediate goal may simply be to achieve compliance, but what about next year or five years from now? Look ahead and consider how your needs might change. Even if consumer request management isn’t a significant need right now, what if there’s a breach or an event that triggers a major uptick in requests? You’ll want a vendor or solution that can scale appropriately with your organization’s needs and automate the most time-consuming parts of your workflow. Seek out a system that protects your data in its current and future state.
- Do we need a vendor that specializes in a particular niche? Is the vendor a generalist or a specialist? Often, the one-stop, all-encompassing solutions lack deep domain expertise in privacy rights management. For instance, Truyo specializes in privacy rights management and automation and because we’ve doubled down on this specific focus, we’ve come to be known as the best-in-class solution.
Additionally, with some of the all-in-one solutions, you often end up paying for features and functions you don’t need, adding complexity to the user experience. When evaluating solutions, investigate the user experience, how well they know specific areas of data privacy and compliance, and whether you’ll be stuck with unnecessary features and functions.
- How will the privacy management platform impact your customer experience? It’s easy to overlook the fact that, while data protection changes are ultimately positive for the consumer, they also disrupt their experience with your business to a certain degree. The online experience is now bombarded with pop-up consent buttons, boxes and portals, and these can be invasive and offputting. The goal is to maintain compliance and a smooth and positive experience. Ask potential vendors how their solution will impact the customer experience. It should improve it, not detract from it.
Tip 3: Look for a Partner, Not a Vendor
Gathering the data and the change management that comes with developing and implementing a privacy rights program can feel like an insurmountable task for many organizations. Chances are data is not housed in one, easy-to-locate place. For most, that data is spread across a smattering of systems.
A true partner should take a vested interest in alleviating this burden. That means taking the time to truly understand your organization’s needs to create the right solution for you, as well as taking on the work of wrangling your data.
Tip 4: Watch for Red Flags
Finally, there are a few warning signs to be cognizant of as you evaluate vendors. These include:
- Lack of emphasis on security. A vendor should be open and transparent about their security measures. Anything less than identity validation with bank-level security is insufficient.
- Limited reporting. With regulations often come audits. If you don’t have automatic logging and detailed reporting, it will put you in a bind when you have to prove compliance.
- Inadequate automation. The entire purpose of a privacy rights management system is to help you achieve compliance while alleviating the operational overhead. This requires advanced automation. The right system should automatically delete, change or anonymize data across all systems, and automatically search, extract and present data to users rather than simply create the workflows for your team to execute.
With privacy legislation growing more complex, aligning with the right vendor is critical. Do your due diligence and make sure the right stakeholders have a seat at the table during the selection process. As you narrow the list, make sure the vendor will serve as a true partner over the long haul and has the deep domain expertise to ensure your compliance especially as privacy legislation evolves.