Not sure if you need a privacy operations platform?
Companies often do some of what's necessary, but not everything.
We talk to many different stakeholders in organizations concerned with privacy compliance. From sales, who want to sell the product or service faster, to heads of legal and compliance who want to be compliant while minimizing their spending.
Here we have collected some of the reactions we initially got. If you find yourself here, we should talk 🙂
-
Argument
We are advised on data protection by our external IT service providers. / We work together with an external IT support. He supports us with such questions and we are sufficiently covered. / We are already working with an external company that is responsible for our data protection and all IT. / We do this with our IT company have our IT partners in this regard and this is no longer an issue for us.
IT companies are great in what they do. They provide you with the necessary software and business applications to move your company forward. Sometimes they even offer data security solutions and consulting. But what they usually don’t provide is a specialized crew and solutions on privacy compliance. This topic is very much driven by legal aspects and less by IT questions. Information security is not privacy compliance.
Answer -
Argument
We are already working on this topic because we have the opportunity to acquire the relevant knowledge through a local group of companies.
Companies in Group structures are great. Relevant local knowledge can be acquired in the local markets and is the most relevant. But what about things like documentation and shared services? How are documentations kept for shared services? Does every local market keep their own records of shared services in their record of processing activities. What happens if the shared services must be edited? Must all records be updated? Our solution has you covered. Shared services update in every ROPA automatically.
Answer -
Argument
Our data is all in the cloud, from CRM to payroll accounting to entire course management and course materials. Our partners are certified hosting companies. We also use Google Business Apps for everything else. I am convinced that we have adequately protected our data, including their processes, which we have set out in regulations and which we review annually with internal audits and adjust them where necessary.
That sounds great. You’ve already got policies in place and are also updating them in accordance with the PDCA cycle. But what about monitoring your vendors and their data processing agreements? Is your data transferred to the US by using Google? What is the transfer mechanism you are using to staying compliant? Our solution makes sure that you have all your bases covered, not just some.
Answer -
Argument
We currently have our data protection requirements under control with our manual processes with little effort.
Cool, we have the same goal. Minimizing the effort you have to make to maintain privacy compliance. How do you keep track of the manual processes and make sure that you have a audit log on your processes? You want to make sure that all your manual processes have a clear audit trail to be able to show compliance. How do you do that? Doing it manually seems like a lot of effort?
Answer -
Argument
At the moment, this is not the determining priority for us.
Naturally, with Covid-19 and the radical change in business models and markets, privacy compliance is not the 1st priority. Yet, we believe it should be a determining priority. Why? Because over 63% of customers consider the privacy protections of any vendor before buying a product. From experience having software vendors as our customers, we can clearly say that the amount of DPA (Data Processing Agreements) negotiations and privacy audits pre-sale have increase. For your sales, it is definitely a determining factor.
Answer -
Argument
We looked at this topic in detail a good two years ago and implemented the corresponding organizational and technical adjustments.
Technical and organizational measures are one of the main pillars of privacy compliance. In some jurisdictions there are even personal fines of 250k for not having them in place. Besides the TOM, there are many more elements such as ROPA, DPIA, DPAs and risk management. If this was set up two years ago, these elements of privacy compliance should have been reviewed and updated at least yearly or as the risk profile dictates. Conducting reviews is an integral part of our software and secures your organization by providing evidence of a working PDCA cycle.
Answer