The solutions in this phase exist at only a handful of companies or on an entrepreneur’s whiteboard, and are probably at least three years from reaching the maturation phase. Examples include:
- artificial intelligence, machine learning and deep learning is used for predictive privacy compliance—including AI for data-subject rights (DSRs) and privacy impact assessments (PIAs)—relying less on human staff for these processes in order to achieve greater scale and timeliness
- automated analysis of data against third-party contracts to determine appropriate use
- data-ethics controls that augment a company’s privacy regulatory controls with new ethical values the corporate board has adopted
- just-in-time privacy controls (such as privacy notices and role-based privacy training) that deliver in-the-moment knowledge modules to nonprivacy staff in the first line of defense, to help them meet new privacy-by-design requirements.
This phase is characterized by growing venture-capital interest, a growing number of new providers and rapid adoption by mature corporate privacy programs. The solutions we see in this phase include:
- privacy program management that provides assessment results, metrics and reporting
- workflow for PIAs (which got a big boost in adoption in last year’s GDPR push)
- privacy consent management, privacy incident response, DSR workflow, anonymization and de-identification and privacy in the supply chain
- AI-based data-discovery tools, such as identity resolution, intelligent data governance and tagging, and lineage analysis
- extended application-programming interfaces (APIs) that allow for the interoperability of newer privacy solutions with legacy workflow-management platforms.
The adoption of these solutions is next in line for rapid growth as companies with large US operations scramble to prepare for CCPA.
The technologies and services in this phase group are highly adopted by large multinationals and are steadily becoming commodities. Examples include:
- privacy legal services, which are delivered in much the same way today as two decades ago at the advent of the first privacy laws in Europe and America
- privacy notices, which are now ubiquitous on websites
- cross-border data transfer policies and application materials, which have become standardized
- manual data-lifecycle mapping and inventories and data subject rights (DSR) processes, which became ubiquitous among multinationals in last year’s run-up to the GDPR deadline.
As far as automation, website and cookie-scanning solutions and unstructured data discovery using DLP and e-discovery tools have matured into a steady state.