Image of stethoscope on heartbeat chart showing how privacy management software is needed
The Ultimate Guide to Buying Privacy Management Software

The Ultimate Guide to Buying Privacy Management Software

Privacy compliance is becoming ever more challenging in today’s data-driven world. This is especially true if you are operating in multiple jurisdictions, have a privacy program that goes beyond a simple policy, or have complex or high volumes of privacy management activities.

When your privacy program must comply with multiple privacy laws and numerous regulators, as is the case with the GDPR, the job of ensuring privacy compliance becomes an even greater challenge. Research-based privacy compliance software can help.

Privacy compliance software is divided into three categories:

  1. Legal Research Software;
  2. Privacy Office Support Software; and
  3. Privacy Management Software.

Nymity recently published the 2018 Privacy Compliance Software Buyer’s Guide to give organizations a comprehensive overview of these three software types, and to assist them in choosing the solution that is right for them.

In parts one and two of our three-part article series, we discussed legal research software and privacy office support software. Today, in the series conclusion, we will be taking an in-depth look at the third type of privacy compliance software: privacy management software.

Privacy management software helps you increase your efficiency and accuracy by automating complex or high volumes of privacy management activities, including privacy impact assessments (PIAs)/data protection impact assessments (DPIAs), data mapping/data inventory, and enterprise assessments.

The Evolution of Privacy Management Software

Privacy management software is not new to the marketplace, but recent innovations have taken it beyond the basic automated questionnaires with simple workflow elements and rudimentary reporting. With recent advancements in data visualizations, expert systems, business intelligence, and next generation reporting, privacy management software is so much more robust and useful.

When Is Privacy Management Software Required?

There are two factors to consider when deciding whether or not your office is ready for privacy management software. The software works best when a privacy program has already been deployed in an organization. Automation is required when:

1. Your privacy management activity volumes are high

If, for example, your organization conducts so many PIAs/DIAs per year that a simple spreadsheet is not viable, then using software can result in time and resource savings.

2. There is much complexity in your business processes

If you have varied types of processing activities, multiple locations of business, complex legal obligations, and/or high-risk technical processing, a good software solution can help. This is especially true for modern software solutions that have legal obligations built-in.

How Privacy Management Software Can Help

The responsibilities of the privacy office include building and maintaining an effective privacy program consisting of policies, procedures, and other mechanisms, sometimes referred to as governance. Privacy office support solutions assist the individuals who are responsible for these tasks, with:

  1. Privacy Impact Assessment (PIA)/Data Protection Impact Assessment (DPIA) Software if you need to automate PIAs/DPIAs.
  2. Data Mapping/Data Inventory Software if you need help managing your records of processing activities.
  3. Enterprise Assessment Software if you need to demonstrate accountability and/or compliance.

1. PIA/DPIA Software

PIAs and DPIAs are assessment tools that determine risk factors that need to be mitigated when performing certain privacy management tasks. Advances in PIA automation have led to new approaches that maximize efficiency and increase scalability. PIA and DPIA software typically includes the following basic functionality:

  • Questionnaires: Standardized questions which are sometimes based on publicly available PIAs from regulators and other authorities. Some questionnaires help determine the likelihood of high risk processing that would indicate the need for more questions to be asked.
  • Approval Process: A workflow where one or multiple individuals must approve an action based on risk and define actions that would need to be completed prior to approving a project.
  • Risk Identification: A process that identifies and predicts risk, generally at the question level and provides functionality to document and monitor mitigation strategies.

From here, new generation PIA/DPIA software solutions have added any number of the following innovations:

  • Auto-High Risk DPIA Triggers
  • Auto-Accountability
  • Auto PbD (Privacy by Design)
  • Benefits to Individuals
  • Regulator Reporting
  • Expert Content and Systems
  • Multiple Approval Functions
  • Pre-Answered Questions
  • API-PIA for Data Importing and Exporting
GDPR Considerations for PIA/DPIA Software

Article 35 of the GDPR mandates that in the case of high risk, a DPIA must be completed. This requires an organization to identify the risk involved in processing personal data and subsequently mitigate risk to the rights and freedoms of data subjects. In the case of non-high-risk processing, an impact assessment would still be considered a best practice.

Good PIA/DPIA software will be able to identify for each of the EU Member States – as well as other countries – if the risk of the processing operation is to be considered high. Good software will also help keep your assessments up-to-date, which is also a requirement under the GDPR.

2. Data Mapping/Data Inventory Software

Data mapping for compliance is often driven by regulator reporting and requires that organizations identify where data is collected and processed, the types of data and their subjects, as well as legal grounds for data transfer. Data mapping software can accomplish all of these tasks and provide visualizations of data types and activities. Compliance data mapping software should support regulator inquiries and reporting, including Article 30 GDPR records of processing activities reporting.

The latest data mapping software includes time-saving innovations, including:

  • PIA/DPIA Integration
  • Expert Content and Systems
  • Data Subjects Rights Requests
  • Data Breach Support
  • API for Data Importing and Exporting
GDPR Considerations for Data Mapping/Data Inventory Software

The GDPR puts an obligation on organizations to keep a register of all data processing operations, which can be made available on demand to the data protection authority. In many cases, such a register can only be built on the basis of a complete data inventory and data mapping exercise, which needs to be software-based.

3. Enterprise Assessment Software

Early enterprise assessment software held little value beyond the initial questionnaire to determine readiness. Today, good enterprise assessment software takes an accountability-based approach to demonstrate the ongoing efficacy of a privacy program. Such accountability-based assessments are often used to satisfy Binding Corporate Rules requirements. They are also used to fulfil obligations in a US consent decree, privacy program governance, or the GDPR.

Innovative functionality allows the latest enterprise assessment software to demonstrate ongoing compliance, including:

  • Historic Dashboard Visualizations
  • Custom Reports
  • Attestation-Based Platform
  • Risk-Based Scalability
  • Evidence-Based Approach
  • Program-Based Evidence
  • Knowledge Building
  • Audit-Based
  • Legal Expert Systems
  • PIA/DPIA Evidence and Reporting Integration
  • Flexible Assessments Timing and Reminders
  • Evidence Management
  • Weighting
  • Business Intelligence
GDPR Considerations for Enterprise Assessment Software

Article 24 of the GDPR requires that organizations not only take appropriate technical and organizational measures to ensure compliance, but these measures also need to be reviewed and updated regularly. Enterprise assessment software can help organizations keep track of their capacity to comply, as well as monitor their implemented technical and organizational measures at all levels. Once set up, enterprise assessment software will not only support GDPR compliance, but also compliance with other laws and even with internal privacy policies like Binding Corporate Rules.

For more information on how to choose the right privacy compliance software solutions for your organization, download Nymity’s 2018 Privacy Compliance Software Buyer’s Guide.