The evolution of Privacy Management software. Part 1: its past
As the volume and complexity of data processings is becoming ever more challenging in today’s data-driven world, privacy management software offers the ideal solution. Because by automating privacy management activities, you should be able to mitigate risk, build accountability, and aim ongoing compliance. It's development, however, doesn't stand still. And, as it increasingly makes the lives of privacy professionals easier, many seem to wonder: 'what else does it hold in store for me?'
To give you a little bit more insight in the development of privacy management software, we have written three blogs about its evolution. In this entry, we will start off by providing a little bit of a background story as to how it all came together.
From pens and paper to automated accountability
Even though privacy management has a long past, the history of accompanying software solutions is very short. Only a few years ago, the tools of privacy professionals were pens, paper and other ordinary means of administration. Writing policies down was necessary according to the law, but the administrative burden in relation to privacy compliance slowly became heavier and heavier. In this process, pro-active and responsible organisations would set up a privacy program, including privacy training, definition of roles and responsibilities, regular reviews of the procedures, and, if there was any room; a manual audit. However, these efforts often resulted in the use of lengthy text documents or unreadable spreadsheets in order to store the results.
While such steps were – and are – valuable in and of themselves, this kind of approach started to show its limits. Especially when dealing with the extremely large data sets that were being collected and used by an increasing number of information-hungry organisations. It soon became clear that – in contrast to data analytics tools – the technology that was actually used to solve privacy problems appeared to have come out of the Stone Age. Something more was needed.
It was in 2014, the year which saw the birth of Privacy Company, that Founder and CEO Frank Koppejan encountered a similar problem. When supporting his clients, he would have to ask them a large number of questions in order to understand what the privacy compliance status of their company would be. After all, it was only this information that allowed him to perform adequate assessments. But he would have to do this every time. All the time. It was this repetitiveness that gave him the idea to create html forms that his clients could then easily access and fill in online. That way, the amount of work both he and his clients would have to do could be lowered significantly: The first steps towards automated accountability.
But when asking our first developers to build these html forms, he received an adamant refusal. “No, we will give you something better,” they said. “We will give you a way to make your forms. Digitally. That way, the moment you want to make a different form, you can do it yourself, and you don't have to bother any developers.”
And immediately, this technical request – this idea to automate privacy accountability – turned into a question of what it was that privacy professionals would really need. To truly understand what the underlying problem was for the people who would actually use this software; privacy officers, data protection officers, information security officers, and others. What kind of challenges these people would face when they were trying to do their (legal) jobs and we, as a development team, could create software that would help with that? Ideally, we wanted to build software that would make people’s lives easier.
But how could we realize this? What exactly were these challenges?
The challenge was to translate complex regulation into practical questions that were actually understandable for everyone in an organisation - not just the legal department. After all, privacy and data protection are no longer areas that are solely reserved for a single type of expertise. Hence, we decided to focus our data inventory forms on determining the actual situation of an organisation, rather than legal qualifications. This fact-based approach allowed for future-proof results, even if regulations should change over time. By emphasising usability, privacy professionals were also able to use our software without the need for IT support. One small step for privacy management software, one giant leap for the privacy office.
If you are responsible for creating the initial record of processing activities – or maintaining it – you might know that it is quite a challenge to do so all by yourself. While you ideally want to involve the people that are responsible for processing personal data as much as possible, what you don’t want is to give unauthorised people certain roles and responsibilities that they can misuse. To solve this challenge, one of the first things we did, was to support them in developing good governance structures. To help organisations create transparency and accountability in their management of data protection by a clear division of roles and responsibilities.
It appeared that a simple registry of information systems and processing activities was merely a basic prerequisite. Much like the lengthy text documents or unreadable spreadsheets that would no longer do, manual, point-in-time, procedural audits were no longer sufficient. Our users needed more information. That’s why we created a platform where metadata about systems and processing activities was gathered in a way that gave our users a complete overview of the state of affairs of personal data in their organisation, both at specific moments and over time. All of this information is gathered on our dashboard, where we also provide automated risk analyses to help the privacy professional quickly locate vulnerable areas that require their attention.
Now this approach can’t prevent all mistakes and incidents – things can always go wrong, and mostly they do at some point. But by continuously monitoring and reporting on progress and potential risks, privacy professionals are now able to easily get a grip on the current compliance status of their organisation.
In the next blog
By solving the underlying problems for the people who would actually use this software, we hoped that privacy professionals could finally sleep a bit more peaceful at night. However, as these things go, solving one problem lead to another. Because how does one create a complete inventory? And how does an organisation successfully manage it? Or, in a nutshell: when is good, good enough? In the next article about the current evolution of privacy management software, we’ll tell you all about it!