Let’s state the obvious: No one wants a fine. But if you look at privacy management solely by this lens, you are missing the big picture. The days when privacy management was purely about mitigating negatives are over. Savvy firms with mature privacy programs leverage their work to deliver business outcomes that include superior customer engagement, more successful digital initiatives, stronger business resilience, and the unique opportunity to create trust with customers and partners. Sustained compliance with regulatory requirements is foundational to this vision. However, compliance alone — especially checklist compliance — must not be the ultimate goal of a privacy program.
To help customers select the most appropriate tool to support their privacy program with the desired outcomes of sustained compliance, we evaluated the 15 most relevant vendors in the privacy management software market. We learned that:
- Many vendors support compliance with specific requirements but undermine the real-life implications of getting there. Privacy compliance is complicated. Consider this: Certain tasks are not explicit requirements but still necessary to meet explicit requirements. For example, think about managing individuals’ privacy rights, such as data deletion or access, without taking care of customers’ identity verification. Or building a record of your processing activities that involves personal data, without knowing how personal data relates to specific business processes. Compliance with the rules means that organizations must take necessary steps to get there. Some of these practical implications are not written in the regulation, but they are the result of expertise and experience.
- Some vendors focus excessively on basic compliance and GDPR. I agree. GDPR has changed the world of privacy compliance forever. From CCPA to LGPD, GDPR-like requirements are popping up in many other privacy bills around the world. But assuming that compliance with GDPR is all customers need is a mistake. Firms must support navigating a landscape of privacy rules that is in continuous evolution and where basic compliance is not their ultimate goal.
- Few vendors support meaningful automation. Let’s say it clearly: Some logic built into a spreadsheet is not the degree of automation that revolutionizes privacy compliance. Most vendors offer this level of automation. Only a few have developed technology that can completely remove certain tasks, such as determining which specific regulatory requirements apply to a firm planning to expand in a new geography or having to figure out which data repositories to connect with every time a data access request comes in.
- Only a couple of vendors help to manage privacy in the broader business risk context. Risk professionals rate data privacy as the most concerning risk to their firm. They understand its impact is multifaceted: legal, strategic, financial, operational, reputational, and additional impacts depending on specific use cases. Only a couple of vendors help customers assess and mitigate privacy risks within this broader risk context. However, this ability to assess and operationalize privacy compliance against business context is essential to firms that want to leverage their privacy program to deliver meaningful business outcomes beyond compliance.
To learn more about this evaluation, read “The Forrester Wave™: Privacy Management Software, Q1 2020.”