There are now five U.S. states which have passed broad data privacy regulations (California, Virginia, Colorado, Utah, and most recently Connecticut) and several countries around the world which have done the same. As more privacy regulations emerge and the requirements associated with them continue to expand and grow more complex, organizations are implementing various technical systems needed for compliance purposes and for effectively managing a modern privacy program.
Some of the biggest areas addressed by these solutions include:
- Data Inventory: Most modern organizations store huge amounts of data spread across many different systems and much of this data includes personal information. While most privacy regulations don’t explicitly require building a data inventory, many of their explicit requirements cannot be met without understanding where personal information exists. Some systems store “structured” data in databases, which is relatively easy to identify and categorize. Others store “unstructured” data in the form of various files or contained within emails, which is considerably more difficult to identify and categorize. Technology systems are imperative for building and maintaining an effective data inventory.
- Privacy Rights Requests: Most of these privacy regulations grant rights to individuals to make requests of organizations with respect to their personal information. The list of such rights and related types of requests continues to grow. A technology system can help immensely with managing the intake and adjudication of these requests. In addition, organizations must integrate such a system with many of its other systems (per the data inventory) to retrieve, update or delete an individual’s data when fulfilling these requests.
- Consent & Preference Management: Some types of privacy rights requests relate to an individual opting into or out of certain uses of their personal information. For example, they may not want their personal information shared with or sold to third parties. Two of the common scenarios for managing such sharing/selling involve consent around the use of third-party cookies on websites and the sharing of data via third-party SDKs (Software Development Kits) embedded into mobile apps. Technology systems are valuable for identifying where third-party cookies and SDKs exist as well as for managing and enforcing individual consent around both. In addition to privacy-oriented consent, individuals can also express preferences related to other things such as receiving marketing communications. As the number of consent and preference use cases grows, technology systems are becoming critical to managing these in a centralized manner with a streamlined user experience.
- Records & Information Management: A large number of regulations exist which require organizations to retain certain types of data for a minimum period of time. Other regulations require companies to dispose of certain types of data after a maximum period of time. These requirements apply to more than just personal information, but there is definitely a big privacy component. New regulations coming into effect soon such as the CPRA (California Privacy Rights Act) also require a new degree of transparency around an organization’s retention and disposal practices. In addition to understanding where all this data lives, technology systems are an important tool for implementing defensible practices.
To efficiently integrate the activities described above, maturing privacy programs are focused on Privacy Solution Architecture.
Solution architecture encourages a shared technical vision across a range of related technology systems, meant to ensure that each new system introduced is (1) a fit for its intended purpose and (2) coherent within an organization’s overall technology environment.
Extending this definition to “privacy solution architecture” represents applying these concepts to solutions in the privacy domain and these concepts are critical to consider for both privacy and IT teams within an organization. Solution architecture addresses various needs while keeping the business context (privacy in this case) intact. When implemented properly it specifies and documents technology platforms, system components, functional requirements, resource requirements, and many other types of requirements. The benefits of developing Privacy Solution Architecture include the following:
- Privacy Solution Architecture encourages a shared technical vision. This requires that the options for a given privacy system be evaluated not only on the basis of how well they solve for a given set of functional requirements, but also on the basis of how well they fit into an organization’s overall technology roadmap. This is important for purposes of long-term sustainability among other reasons. In large organizations, it also helps to reduce costs by minimizing the proliferation of multiple systems which serve the same or similar purposes.
- …across a range of related technology systems: This requires that an organization consider the other systems with which a new privacy system must integrate. This is especially important when automating such integrations, for example in the context of fulling privacy rights requests or managing a centralized consent/preference solution.
- …meant to ensure that each new system introduced is (1) a fit for its intended purpose: This requires that an organization understand and document the intended purpose before selecting and implementing a new privacy system to fulfill that purpose. This might seem obvious, but it is staggering how often technology systems are selected without having first defined and documented the requirements they must support. Not doing this at all, or doing it poorly, is one of the biggest reasons why many technology projects fail.
- …meant to ensure that each new system introduced is (2) compatible within an organization’s overall technology environment: This requires that the technology platform underlying a new privacy system be aligned as much as possible with the technology platforms underlying other systems. Most IT teams have limited resources and only certain technical skillets, so it’s important to not only consider how to implement a new system but also how it will be maintained over time. In some cases, using differing technology platforms may also introduce limitations with respect to integration and compatibility.
These concepts are important in any business context. They are especially important in the context of privacy because the range of related technology systems is already very broad and continuing to expand as more privacy regulations and requirements emerge. When considering how to solve for the technology needs of your organization’s privacy program, involve your architecture team early and often. Given the expanding list of privacy systems needed it is also wise to enlist help from others who know not only how to select and implement such systems, but who also understand how to factor in the privacy-centric architectural ramifications of doing so.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.