PwC’s Privacy Technology and Services Adoption Curve

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

“What technologies are ready to help us meet our privacy program objectives?”

PwC’s data privacy team is often asked this question by clients around the world. If you think compliance risks are growing faster than the headcount supporting Chief Information Officers (CIOs) and Chief Privacy Officers (CPOs), you’re not alone. Laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil’s General Law on Data Protection (LGPD) are spurring companies everywhere to explore how enterprise technology solutions can scale their limited teams.

To help answer this question, we’ve pooled our global team’s anecdotal observations of technologies and related professional services.

We’ve intentionally left off information security solutions related to the protection of the confidentiality, integrity and availability of personal information. Our focus here is on solutions related to the collection, use and disclosure of personal data.

We propose that there’s an adoption cycle for privacy technology that follows an “S” curve: a slow-growth “beta” phase, followed by a rapid-growth phase and ending in a maturation phase. Where a technology sits on that curve can predict how long it will be until the market has shaken out and consolidated around a handful of mature, stable and popular solutions. The curve also arms CPOs and CIOs with a way to scrutinize the claims of companies who say they’re a phase or two ahead of other vendors. It’s important to note that we are not proposing a mathematical function or actual S curve, but rather a simple conceptual framework that resembles one.

Highlights from the adoption cycle

Beta phase

The solutions in this phase exist at only a handful of companies or on an entrepreneur’s whiteboard, and are probably at least three years from reaching the maturation phase. Examples include:

  • artificial intelligence, machine learning and deep learning is used for predictive privacy compliance—including AI for data-subject rights (DSRs) and privacy impact assessments (PIAs)—relying less on human staff for these processes in order to achieve greater scale and timeliness
  • automated analysis of data against third-party contracts to determine appropriate use
  • data-ethics controls that augment a company’s privacy regulatory controls with new ethical values the corporate board has adopted
  • just-in-time privacy controls (such as privacy notices and role-based privacy training) that deliver in-the-moment knowledge modules to nonprivacy staff in the first line of defense, to help them meet new privacy-by-design requirements.

View more

Rapid-growth phase

This phase is characterized by growing venture-capital interest, a growing number of new providers and rapid adoption by mature corporate privacy programs. The solutions we see in this phase include:

  • privacy program management that provides assessment results, metrics and reporting
  • workflow for PIAs (which got a big boost in adoption in last year’s GDPR push)
  • privacy consent management, privacy incident response, DSR workflow, anonymization and de-identification and privacy in the supply chain
  • AI-based data-discovery tools, such as identity resolution, intelligent data governance and tagging, and lineage analysis
  • extended application-programming interfaces (APIs) that allow for the interoperability of newer privacy solutions with legacy workflow-management platforms.

The adoption of these solutions is next in line for rapid growth as companies with large US operations scramble to prepare for CCPA.

View more

Maturation phase

The technologies and services in this phase group are highly adopted by large multinationals and are steadily becoming commodities. Examples include:

  • privacy legal services, which are delivered in much the same way today as two decades ago at the advent of the first privacy laws in Europe and America
  • privacy notices, which are now ubiquitous on websites
  • cross-border data transfer policies and application materials, which have become standardized
  • manual data-lifecycle mapping and inventories and data subject rights (DSR) processes, which became ubiquitous among multinationals in last year’s run-up to the GDPR deadline. 

As far as automation, website and cookie-scanning solutions and unstructured data discovery using DLP and e-discovery tools have matured into a steady state.

View more

What does this all mean for corporate privacy programs? Three things:

  • Most companies are at least three years out from adopting tools that automate the global privacy office and bake in privacy requirements to the digital 1s and 0s coursing through enterprise servers. What we call the privacy “journey to code” is just underway for most companies.
  • During this pre-automation period, privacy regulators will have an easier time proving in investigations that a company’s privacy practices live only on paper and not consistently in its hardware, software, products and business processes.
  • Until more companies climb the adoption curve, companies will need to increase headcount and the number of contractors in order to effectively manage privacy risks that are increasing from regulatory, technology and business change.

What should companies do?

  1. Test the readiness of the high-risk areas of the business to provide regulators with evidence of operational privacy controls that that are state of the art.
  2. In high-risk areas showing weak controls, identify current technical capabilities and develop the business requirements to extend them and strengthen those controls. This takes you a step further on your “journey to code.”
  3. Pilot new privacy technologies within high-risk and high-impact areas first.
  4. Use the results of the pilots to define your organization’s future-state privacy technology ecosystem, moving toward an enterprise approach.
  5. Develop a cross-functional task force including technology, data governance, data ethics, security, risk, compliance, legal and privacy experts to support evolving changes to the privacy technology baseline.

Contact us

Jay Cline

US Privacy Leader, Principal, PwC US

Follow us