Today, there are a lot of software solutions that claim to mean something in the field of privacy management software. Whether it concerns scanning websites, inventorying processing of personal data or registering data leaks; there is a software-based solution for every problem.
The market for privacy management software has therefore exploded in recent years. Whereas in 2017 only 55 providers were involved, this has now doubled to more than 120 providers. In the past two years alone, dozens of startups have emerged to offer technological solutions for organisations. All these solutions help organisations to better implement the protection of personal data, to comply with the General Data Protection Regulation (GDPR) and the upcoming ePrivacy Regulation, and to assess and mitigate the associated risks.
It is therefore not surprising that this results in a choice stress for a large number of organisations. Because what kind of privacy management software is right for your organisation? Answering this question is not yet so easy and is always dependent on the size or maturity of the organisation and the specific things that are done with personal data. That is why this blog will try to offer a little more tools for making the choice for privacy management software.
To make a good choice we first need to know what choices there are. Here we start from the categories of privacy management software as defined by the IAPP (International Association of Privacy Professionals). The IAPP first distinguishes between software solutions that are specifically intended to support the privacy team (privacy software) and software solutions that support the privacy team in addition to functionalities that can be used more widely within the organisation (enterprise software).
The first category often concerns software solutions that have been developed specifically with a view to privacy compliance. The second category, on the other hand, often includes software solutions that have been expanded with privacy modules or that can be used to meet certain obligations of the GDPR, but are not specifically developed for this purpose. However, this does not mean that this type of software is therefore less good than the software in the first category, but that it has been developed with a different approach.
Within these two main categories, the IAPP then distinguishes different types of functionalities. See the list below for an overview and explanation of the different functionalities:
Assessment managers - Performing various substantive assessments in the area of privacy.
Consent Managers - Maintaining and managing consent given by those involved.
Data mapping - Mapping the different types of personal data and processing within your organisation.
Incident management - Administering and handling data leaks.
Privacy information managers - Provides an overview of relevant privacy laws and regulations.
Website scanning - Generates overviews of all cookies, beacons and other trackers that need to be communicated to the person concerned.
Activity monitoring - Tracking and tracking of all actions that take place with personal data within the organisation.
Data discovery - Automated collection of information about the types of personal data that are present within an organisation.
De-identification/pseudonymisation solutions - De-identification/pseudonymisation of data so that it can be used without endangering the privacy of those involved.
Secure means of communication - Enabling internal communication without risk of (data) leaks.
With the above overview, of course, the choice for certain software has not yet been made. For this it is necessary to critically examine where your organisation is currently at. With the above overview, the choice for certain software has obviously not yet been made. For this it is necessary to critically examine the privacy management status of your organisation. In principle, each of the above functionalities is useful for privacy management within your organisation. Functionalities such as 'privacy information managers', 'de-identification' and 'secure means of communication' are always useful to have when dealing with personal data, but are generally not the first things to focus on when little or nothing has been done to maintain privacy.
When your organisation has little information about the processing that is taking place and the personal data that are involved, it is advisable to focus on 'data mapping' and 'data discovery', possibly together with 'website scanning' and 'activity monitoring'. These functionalities generate certain essential information for your privacy management. The information that is collected can then help with 'assessment management', 'incident management' and 'consent management' within your organisation.
Note: Privacy management software can do a lot, but never replaces good policy or awareness within an organisation. Therefore, always think wider than just software and ask the question: How can privacy management software support me in the privacy management within my organisation?
Good luck with finding and purchasing privacy management software that fits your organisation! Also take a look at Privacy Nexus: With Privacy Nexus we offer a data mapping module to create a register of processing operations. An assessment manager regarding privacy impact assessments (PIAs) to map out the privacy risks of a data processing in advance (and then to be able to take measures to reduce the risks). But also modules to monitor, for example, the compliance of suppliers and third parties. Specifically developed for compliance with the GDPR.