Privacy program: PwC

PwC’s Privacy Technology and Services Adoption Curve

“What technologies are ready to help us meet our privacy program objectives?”

PwC’s data privacy team is often asked this question by clients around the world. If you think compliance risks are growing faster than the headcount supporting Chief Information Officers (CIOs) and Chief Privacy Officers (CPOs), you’re not alone. Laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil’s General Law on Data Protection (LGPD) are spurring companies everywhere to explore how enterprise technology solutions can scale their limited teams.

To help answer this question, we’ve pooled our global team’s anecdotal observations of technologies and related professional services.

We’ve intentionally left off information security solutions related to the protection of the confidentiality, integrity and availability of personal information. Our focus here is on solutions related to the collection, use and disclosure of personal data.

We propose that there’s an adoption cycle for privacy technology that follows an “S” curve: a slow-growth “beta” phase, followed by a rapid-growth phase and ending in a maturation phase. Where a technology sits on that curve can predict how long it will be until the market has shaken out and consolidated around a handful of mature, stable and popular solutions. The curve also arms CPOs and CIOs with a way to scrutinize the claims of companies who say they’re a phase or two ahead of other vendors. It’s important to note that we are not proposing a mathematical function or actual S curve, but rather a simple conceptual framework that resembles one.

Beta phase

The solutions in this phase exist at only a handful of companies or on an entrepreneur’s whiteboard, and are probably at least three years from reaching the maturation phase. Examples include:

artificial intelligence, machine learning and deep learning is used for predictive privacy compliance—including AI for data-subject rights (DSRs) and privacy impact assessments (PIAs)—relying less on human staff for these processes in order to achieve greater scale and timeliness
automated analysis of data against third-party contracts to determine appropriate use
data-ethics controls that augment a company’s privacy regulatory controls with new ethical values the corporate board has adopted
just-in-time privacy controls (such as privacy notices and role-based privacy training) that deliver in-the-moment knowledge modules to nonprivacy staff in the first line of defense, to help them meet new privacy-by-design requirements.

Rapid-growth phase

This phase is characterized by growing venture-capital interest, a growing number of new providers and rapid adoption by mature corporate privacy programs. The solutions we see in this phase include:

privacy program management that provides assessment results, metrics and reporting
workflow for PIAs (which got a big boost in adoption in last year’s GDPR push)
privacy consent management, privacy incident response, DSR workflow, anonymization and de-identification and privacy in the supply chain
AI-based data-discovery tools, such as identity resolution, intelligent data governance and tagging, and lineage analysis
extended application-programming interfaces (APIs) that allow for the interoperability of newer privacy solutions with legacy workflow-management platforms.

The adoption of these solutions is next in line for rapid growth as companies with large US operations scramble to prepare for CCPA.

Maturation phase

The technologies and services in this phase group are highly adopted by large multinationals and are steadily becoming commodities. Examples include:

privacy legal services, which are delivered in much the same way today as two decades ago at the advent of the first privacy laws in Europe and America
privacy notices, which are now ubiquitous on websites
cross-border data transfer policies and application materials, which have become standardized
manual data-lifecycle mapping and inventories and data subject rights (DSR) processes, which became ubiquitous among multinationals in last year’s run-up to the GDPR deadline.

As far as automation, website and cookie-scanning solutions and unstructured data discovery using DLP and e-discovery tools have matured into a steady state.

What does this all mean for corporate privacy programs? Three things:

Most companies are at least three years out from adopting tools that automate the global privacy office and bake in privacy requirements to the digital 1s and 0s coursing through enterprise servers. What we call the privacy “journey to code” is just underway for most companies.

During this pre-automation period, privacy regulators will have an easier time proving in investigations that a company’s privacy practices live only on paper and not consistently in its hardware, software, products and business processes.

Until more companies climb the adoption curve, companies will need to increase headcount and the number of contractors in order to effectively manage privacy risks that are increasing from regulatory, technology and business change.

What should companies do?

Test the readiness of the high-risk areas of the business to provide regulators with evidence of operational privacy controls that that are state of the art.

In high-risk areas showing weak controls, identify current technical capabilities and develop the business requirements to extend them and strengthen those controls. This takes you a step further on your “journey to code.”

Pilot new privacy technologies within high-risk and high-impact areas first.

Use the results of the pilots to define your organization’s future-state privacy technology ecosystem, moving toward an enterprise approach.

Develop a cross-functional task force including technology, data governance, data ethics, security, risk, compliance, legal and privacy experts to support evolving changes to the privacy technology baseline.