Organizations store personal information everywhere — on locally owned databases, in cloud-based servers, in SaaS solutions (e.g. Salesforce, Snowflake, Slack, Shopify, Zendesk, Zoom etc.), and throughout their supply chain.

A privacy program is only as good as the source of the data, so the first step for building your privacy program is to locate where all the personal data lives in your organization. Most modern companies don’t know where all the personal data is stored on an individual. In fact, many companies don’t even know all the systems it uses that contain personal data. According to Okta, the average organization uses upwards of 190 different enterprise applications to conduct business, many of which contain personal data.

When evaluating a privacy solution, it’s critical to understand how it identifies and takes inventory of all the places data is stored at an organization. Some solutions rely on you — the customer — to detect all the sources of data. Other solutions can detect new places where personal information is stored and data platforms that are unknown to you (also known as shadow IT). If you’re 100% confident you know where all data resides in your organization, you can opt for a solution that leans on you to take inventory of where data resides. For those who aren’t confident in their data locations, you should opt for a solution that can detect what systems you don’t know about.

The ideal data privacy solution will augment your existing inventory of known data sources with any additional data platforms it finds after integrating with systems in your IT environment. It should perform a system discovery and inventory to find any unknown sources of data, like SaaS applications brought on by different departments.

Detecting all the data platforms containing personal data is critical to complying with many elements of the new privacy regulations, including:

Once you’ve found all the applications, databases, systems, etc. that contain personal data, the next task is to connect and discover data within those systems so you can map and classify that data in such a way that it’s usable for your privacy program. Before we get to the “usable” part, let’s dive deeper into what it means to “connect and discover”.

A privacy solution should connect directly with your data sources so it can be updated in real-time to create a data map — a living blueprint of all the data in your organization. The data mapping functionality should automatically capture changes as new data is created & stored or a new data platform is added to your environment.

There are three core components to great data discovery: breadth, depth, and continuous accuracy.

Breadth of data discoverability

The ideal privacy solution should have the ability to integrate directly with all the different types of data platforms at your organization:

• Internally owned and managed data platforms (on-prem or hosted on AWS or Snowflake)
• Third-party SaaS solutions
• Structured and unstructured datasets

If you have personal information stored in SaaS apps, data lakes, and unstructured datasets, find a privacy solution robust enough to connect into all of your data platforms.

Take note: tackling an unstructured dataset requires distinct technology and some customization on behalf of the privacy solution. Find a privacy solution with an “unstructured integration” that is reusable and requires minimal customization to ensure a speedy onboarding and implementation. It’s best to avoid solutions that put unnecessary engineering work on your team or require multiple hours of professional services.

If you find that most of your data resides in third-party solutions (e.g. Salesforce, Mailchimp, Marketo, or Okta), prioritize a solution that does an excellent job using APIs and pre-built connectors to make onboarding and maintenance a breeze. Direct integrations ensure a quality foundation for your privacy program.

Depth of data coverage

For some, a solution that goes the extra mile to classify and correlate data is valuable. For larger organizations that handle a lot of data that might not be instantly attached to a person’s record, you may need a solution that does correlation — but this might not be necessary for all organizations.

The accuracy of data discovery is foundational to any privacy program. Seek out a solution that has strong data discovery capabilities to make it instantly usable for your privacy program.

Continuous accuracy

Data is dynamic, not static. Fields in data platforms are always changing, and so are the systems your organization uses to store personal data. This is where the concept of “usable” comes in. You should not be asked to fill out spreadsheets or surveys — this should all be automated, ensuring real-time accuracy so you can be continuously compliant. With real-time updates being made to your data map, you’re establishing a high quality data foundation and creating efficiencies at your organization.

The data map should be an integral part of the privacy management solution — not be in a separate platform or product that requires additional engineering work to be compatible with DSAR fulfillment and preference updates. Many legacy privacy vendors offer these capabilities as isolated, distinct solutions, which means they don’t integrate well, and therefore aren’t a one-stop-shop privacy solution.

A modern-day privacy solution should deliver automation with appropriate controls. First generations of data privacy solutions designed workflows and processes to help build the underpinnings of a privacy program.

But with new regulations, manual processes and dozens of spreadsheets are no longer sustainable. Even processing a few DSARs a month can create problems and disrupt daily business operations. Regardless of request volume, organizations are responsible for enumerating every business system containing personal data, how it’s used, and why. When conducted manually, RoPAs are extremely time-consuming and perpetually out-of-date since systems change all the time. Without a technology system to help automate processes and workflows, you’ll be buried beneath tedious and error-prone work.

Good privacy solutions automate repeatable processes and allow for organizations to add the appropriate controls and escalations. They are also designed to scale and easily add new functionality as new regulations emerge or existing regulations change.

Look for a privacy solution that can automate these regulatory requirements:

Data Subject Access Requests (DSAR)

The right solution automates a DSAR in minutes. There should be the ability to create controls and escalations so organizations can customize the process as needed. This includes all types of requests:

• The right to know (access requests)
• The right to be forgotten (deletion requests)
• The right to opt-out (Do-Not-Sell [DNS] requests)
• The right to data portability (portability requests)

It is important to note that the CCPA “opt-out” requests (i.e. DNS requests) give consumers the right to stop a business from selling their data to a third-party. It is not the same as GDPR or ePrivacy-required consent management, or cookie management, which fall under different regulations.

Be sure to find a solution that also automates the process of reaching out and communicating with service providers (processors and sub-processors) to ensure you’ve accurately fulfilled a DSAR.

Fraud comes up as a top concern when organizations realize that they will be handing over a PDF full of personal information to an individual exercising that right.

Your organization does not want to pass along personal information to the wrong person or to someone who is impersonating a customer.

Currently, many privacy solutions ask people to provide additional data to verify their identity — like uploading a selfie or scanning their passport or driver’s license. This method goes against the very spirit of these privacy regulations. Requiring a person to submit more personal information to protect their privacy was not the intention! Verification methods such as these have gained notoriety. Journalist Alastair Barr documented her negative experience in Bloomberg, and others have taken to Twitter to complain about their experiences (Forrester analyst Fatemeh Khatibloo and Coinbase PM Will Drevo).

To avoid upsetting your customers, find a privacy solution that uses existing personal information associated with a person’s record, such as purchase history or user behavior (e.g. games played, purchases, or products viewed) to securely validate the individual’s identity. Providing a crucial privacy-centric experience for individuals looking to safeguard their privacy is essential to preserving your brand and building a relationship of trust with your customers.

A privacy solution that doesn’t require additional personal information is a massive benefit to your organization: it minimizes risk by reducing the amount of PII you’re holding, making you less of a target for data breach. In many cases, businesses aren’t equipped or don’t want the responsibility of securely managing the storing, handling, and disposing of sensitive information and documents. A solution that leverages the existing data you have on file means that you’re not taking on any additional risk.

Privacy is a journey, not a destination. You need a partner who’s going to help you every step of the way as you navigate a new regulatory space that’s emerging.

That’s why it’s critical to choose a privacy solution that continues to work with you (without extra fees!) and builds your privacy program beyond the initial implementation.

Regarding implementation, a good privacy solution should be fairly straightforward and shouldn’t require much engineering time on your part. Implementing a privacy solution doesn’t need to be cumbersome or hard, but it does require a partner on the other side to ensure it goes well. When evaluating privacy management solutions, be sure to clearly understand the implementation process:

1. How long will it take to set up my data inventory and data discovery?
2. How many of my resources will it require?
3. How long does it take to onboard an individual business system?
4. How does the pricing scale as your organization grows?

Consider it a red flag if you’re expected to devote many engineers to implement a privacy solution, as this suggests limited automation and lots of professional services fees down the road. Some vendors offer professional services as an add-on, while others include customer support as part of the baseline costs. Make sure you know the difference upfront so you’re not stuck paying ongoing hidden fees.

Privacy is organic and forever-changing. In turn, you need a solution that can scale and a partner who is with you the entire way to guide you through future changes you might need to make.