A growing number of companies are looking to vendors with high-tech tools to help them navigate data privacy laws in the European Union, California and elsewhere.
The vendors offer products to help companies manage a wide range of data, such as ones that automate how to map out the information and how to move it within the company. Others offer compliance tools that aim to help companies streamline data access requests.
“Consumers are demanding better control over their data, and legislators are scrambling to meet those demands,” said Richard Wells, a managing director at Insight Partners, a venture capital and private equity company. “As a result, the privacy technology sector only has room to grow, and will have to do so rapidly in order to keep pace.”
The number of privacy tech companies jumped from 51 vendors in 2017 to 224 in 2019 so far, according to annual privacy tech vendor reports by the International Association of Privacy Professionals. Companies are tapping attorneys to help them decide what, if any, vendors they should hire to help comply with the new rules.
Investors are pouring money into privacy tech. They’re betting that the sector will keep growing as companies grapple with new privacy laws, including the EU’s General Data Protection Regulation, and the California Consumer Privacy Act, which takes effect Jan. 1.
TrustArc, a technology compliance and security company, said in July it secured a $70 million growth investment. Wells’s firm led a $200 million investment for OneTrust, an enterprise privacy and security software company.
“With each piece of regulation that’s passed—both in the U.S. and on a global scale—companies that operate across regions and borders will need help from technology providers that are able to scale alongside their needs,” Wells said.
The GDPR was the “first big driver” that forced companies to think about using privacy technology, Chris Babel, the CEO of TrustArc, said. The law, which took effect in May 2018, imposed new requirements that companies document their data processing activities and data retention policies, among other activities.
Corporate clients are asking outside counsel for advice on which privacy tech tools can help them comply with laws such as the GDPR, attorneys said. The risks of noncompliance, including fines and bad publicity, are spurring companies to shop for privacy management and compliance tools, they said.
Privacy attorneys say they look at factors such as company size and corporate culture, and data complexity and sensitivity, when weighing which vendors to recommend. The offerings vary, and every company implements the tools differently, attorneys said.
Some lawyers sit in on vendor demos and calls. Others stress what kinds of data-associated risks a company faces, so its executives and information technology leaders can decide for themselves which privacy tech tools they may need.
Companies that violate the GDPR can face fines of up to 4% of annual revenue. The CCPA will carry potential fines of up to $7,500 for each intentional violation.
“Organizations of every size, and in every industry, increasingly rely on data for competitive advantage and success,” Harry Valetk, of counsel in Baker McKenzie LLP’s global privacy and security practice group, said in an email. “The consequences for those that fail to get privacy right will be significant.”
Nearly one-quarter of respondents in an IAPP and TrustArc survey said they planned to purchase a product to help with data mapping and data flow over the next year. Seventy percent said they’d already bought a tool to monitor network activity, and 66% had purchased one to secure enterprise communications.
Some vendors offer products to help companies ensure their websites comply with relevant laws when installing cookies. They’re also offering software that can produce privacy impact assessments, automate encryption, use data intelligence to spot risks, and expedite incident and breach response.
Privacy attorneys say they also help their clients determine whether the tools are really effective.
Elizabeth Johnson, who leads Raleigh, North Carolina-based firm Wyrick Robins Yates & Ponton LLP’s privacy and data security practice group, said that clients have sent her team extracts from a system so the attorneys can advise on whether it meets their compliance obligations.
Privacy technology “should supplement and work hand in hand with privacy legal advice,” Odia Kagan, partner and chair of GDPR compliance and international privacy at Fox Rothschild LLP, said.