17 June 2024

Tools of the trade: What can privacy software actually help with?

Jonathan Gadir
Senior Consultant

elevenM’s Jonathan Gadir unpacks and explains different kinds of privacy software tools, what you can use them for, what you can’t use them for, and some questions or considerations you should have ready if you’re getting a demo.

The last few years has seen a proliferation of new privacy software tools, sometimes called privacy automation tools, all offering to make privacy compliance easier. These tools come with a lot of vendor buzzwords and jargon, making it tough to really understand what is on offer without booking in a demonstration (and even then, you need to know what to ask).

As a lot of organisations gear up to meet law reform changes, it’s likely that we’ll see an increase in the spruiking around these products and many organisations may see them as a fast path to compliance.

But first it’s important to know what you need, and what to ask, before you go into a vendor demo.

Governance vs data compliance

These tools are often referred to as privacy automation tools, but the word ‘automation’ is a misnomer here. What is really being offered is privacy workflow efficiency.

A useful categorisation is: governance efficiency tools vs data compliance efficiency tools.

Governance efficiency tools will help implement or streamline your privacy governance processes, such as various risk assessments or process mapping.

Data compliance tools will help with the technical work of implementing privacy compliance inside an organisation or for customer-facing websites. Many tools will have cloud-based and on-premises options, and some will be open source.

The following is a summary of some of the things privacy software can help with.

Governance efficiency tools

Privacy impact assessments (PIA) — instead of doing a privacy impact assessment in an Excel spreadsheet or a Word document which is then emailed around, you get a platform where multiple staff can collaborate on a PIA in a customisable template tailored to a particular jurisdiction and organisation where reports can be easily generated, reminders sent out, and risks recorded and tracked.

Vendor risk assessments — this is the same as for PIAs except the pre-built templates are questionnaires that help you do due diligence on vendors. These usually are also comprised of questionnaires the prospective vendors fill out and this allows for easy comparisons between different vendors. As an efficiency tool, it won’t do the actual due diligence checks – for example we aren’t currently aware of software that will query the national insolvency database or the register of company directors and tell you if the vendor has a clean record.

Record of Processing Activities (RoPA) / Data processing inventory — often PIAs are an efficient method to populate an inventory or, in GDPR-speak, a Record of Processing Activities (RoPA). When you complete a PIA in a template, you generate the answers needed to establish that you use system A to collect xyz data from customers and keep it in System B for xyz years. You can go a long way to creating a RoPA if you invest in a privacy platform that has both assessment and inventory or RoPA functionalities.

However, unless the people filling out your PIAs are privacy professionals, we would caution against relying on your PIAs entirely to create compliant RoPAs as there are specific requirements that have to be met that probably won’t be met by an average employee in your organisation simply describing in laymans terms the activity they are engaged in.

Access, correction and deletion request management — these types of tools consist of a portal for managing individual requests that your organisation may receive from customers or others whose data you collect. It is a kind of case management system for when someone asks for access to their personal information (PI) or correction of their PI as they are allowed to do under Australian, EU and many other privacy legal frameworks. Some solutions are more technically-oriented and offer to search your systems and implement the PI deletions where your system has standard file formats.

Things to consider

The promise of streamlined processes is an attractive one. But the reality is the efficiency gains could be more modest than expected. It is important to remember that these tools still rely on people to fill out templates with quality responses. As anyone who has used these tools will tell you, it takes time to learn and time to train others. 

A common issue is that these templates can be quite challenging for a non-privacy expert because the questions often default to using legal terminology that has a specific meaning  e.g. “data processor” or a term that only a privacy expert would know has regulator guidance sitting behind it.

If your privacy governance model relies on people throughout the organisation filling these out, you will probably need to re-engineer the questions to be more plain English. Once you start doing that you run into problems making the efficiencies work because you might lose the precision that allows integration with the inventory feature to work.

Therefore, you either need to do extensive training of your staff or concede you don’t want to impose this additional burden on them and maintain a privacy officer and specialist privacy staff to hand-hold everyone else in using the tool, or indeed do it for them.

And finally, these tools can produce an assessment, but they won’t solve a deficient governance process — whatever insights and recommendations come out of the assessment, they still need to be implemented by people and processes.

Data compliance tools

Data discovery or data mapping — Step one for any privacy program is knowing what data you have. For a great explanation of the value of tools in data mapping, see our previous blog on privacy tools and data processing inventories. In short, tools can look for PI in large datasets and identify what you have and any changes in real-time. They can be helpful in showing the flow of data through your organisation’s systems, including how it comes in, what happens to it, where it is stored and who has access.

An important aspect to consider is whether you need a tool capable of searching unstructured data such as emails, images or miscellaneous documents stored in your shared folders. Another aspect is whether you need a tool that will do physical document scanning or whether digital file scanning will be sufficient. Some tools allow you to visually explore the data with analytics features that generate charts, graphs and reports.

Classification — as above, classification is something that can be done by tools that search for keywords or groups of keywords and apply your pre-determined classification levels. This can also help if you are introducing a new classification scheme to your organisation. It helps in prioritising privacy maturity actions, knowing what level of access controls to apply, what is high-risk and what needs to have a short retention period.

Consent management — this is a very large slice of the market with many competing solutions. These software packages will usually create privacy notices and cookie banners based on your instructions and deploy them onto your website with pre-built templates to choose from.

The systems block tracking according to the choices made by the website visitor. Some products scan your website to detect what kind of tracking is being used and creates a cookie notice that reflects what it found. Some can generate a compliant banner template for over 50 countries and automatically display the banner in the right language.

Some tools go beyond cookie consent and allow you to record and implement consents for a variety of things like opting in and out of marketing emails, surveys or other personal information uses.

Another factor is whether it gives your users the simple banner or the multi-option banner in accordance with your needs.

Things to consider

When considering these solutions, think about whether the tool will integrate properly with your information management, website content management, digital marketing platform, and customer management systems and not create more headaches for the teams that manage these systems and own this information within the organisation.

You will also need to think about whether the software caters to Australia as well as any other national or state jurisdiction you need to operate within.

In summary

The days of AI doing a PIA from start to finish might be approaching, but we aren’t quite there yet. It may be that current tools are the best we can do because ultimately managing privacy risks is such a multi-faceted set of activities.

As we see from the tools we’ve mentioned, privacy software tools do a wide range of different things, all lumped under the label of privacy automation. Indeed, the big privacy software vendors like OneTrust and TrustArc offer many different solutions which are often sold as packages. Ultimately with these packages and the more niche products in the market, there is only one way to really find out if a solution is right for your organisation — book in a demo and ask lots of questions.

Contact us

If you’re interested in learning more about how to develop and implement privacy processes, contact us at hello@elevenM.com.au or on 1300 003 922.