PwC1
Welcome to the PwC Privacy webinar series Getting practical with POPIA - Session #3
Practical considerations for using Technology to support your privacy programme
PwC
PwC
People Process Technology
Why would you need tools and technology?
Which areas of your privacy programme will benefit most from technology enablement?
Other technology options (other than privacy management tools)
Selection criteria for Buy or Build decisions
Case studies
Privacy management tools and other technology options to accelerate your programme
- Charles Fischer (PwC SA)
The challenges of technology enablement
Many of the privacy management tools available are relatively new with
license fees expensive
Configuring connectors is complex and can result in performance issues
Security needs to be considered
Precursors like data governance and quality
Require technical skills to build your own technology
PwC
Technology can support and accelerate your implementation programme
Reduce resource requirements
Technology increase sustainability of privacy compliance
Easier to keep your data inventories up to date and identify changes
Repeatability of privacy processes
role
Rights fulfillment
***
Confirm 3rd party complianceEnsure Quality of PI
Establish Data breach reporting
PwC
Privacy gap or readiness assessments
Need to understand what data is processed and the impact of PPI Act and your readiness to comply
Typically would be done through questionnaires and checklists
A gap or readiness assessments would typically cover:
Privacy governance and strategy
List of gaps, identify high risk areas / information assets
Prepare a risk-based or Prioritised roadmap for implementation
Important part to demonstrate that privacy risks are properly considered
Natural place to start your programme is to do a gap or readiness assessment.
PPI Act Applicability
Future requirement: Need to analyse impact of business or system changes to ensure privacy compliance
(similar to PIA from GDPR, but not as onerous)
PwC
Privacy gap assessment tools and technology
Automate the assessment of privacy applicability, risks and gaps and other information in the
organisation to guide the implementation effort.
Key features of tools
content, require customisation
Other technology options
Google forms, Microsoft Teams/Sharepoint etc.
Free high-level gap assessments
Organisations are struggling to understand what personal identifiable data they have, how it moves
through the information lifecycle and what controls are in place.
Collection Storage Use Transfer Retention
Disposal Data subject requests
data and risks
include:
A. Data mapping solutions can come in manual or
automated form and help organisations determine
data flows throughout the enterprise.
Key features of Data mapping tools
Automated assessment questionnaires
Dashboards (types of PI, assets, regions)
Central recordkeeping and security
request provisioning modules
Comprehensive data source coverage
Identity matching across multiple data
sources (Machine learning or AI
capabilities)
Service request tickets
that helps organizations determine and classify what
kind of personal data they possess to help manage
privacy risk and compliance
Data mapping and discovery tools and technology
A. Data mapping solutions can come in manual or automated form
and help organisations determine data flows throughout the
enterprise.
B. Data discovery tends to be an automated technology that
helps organizations determine and classify what kind of personal
data they possess to help manage privacy risk and compliance
Other options: Data mapping
document reviews to perform a “top down”
mapping of data flows
forms to capture information
Visualise and analyse data in existing
technologies, e.g. PowerBI, Tableau
Build scripts in-house to analyse data assets
Leverage software vendor and cloud native solutions
where available
PwC
Data subject requests
Section 5 of The PPI Act allows for the rights of data subjects
Number of data subject requests (DSRs) will differ from organisation to organisation
Manage risks associated with DSR’s
Organisations need to put in place processes/technology
to allow for:
Search and update of data
A manual process for DSR fulfillment will be time
consuming and would benefit from technology
Provide for Data subject
Rights fulfillment
As the public becomes more aware of their rights we will see an increase in data subjects exercising their
rights
15
PwC
Data subject request tools and technologies
Automate the assessment of privacy applicability, risks and gaps and other information in the organisation to
guide the implementation effort.
Key features of tools
Validate identity of data subjects
Automated workflows progress tracking and
reporting
Other technology options
database to receive and manage DSR’s
Use existing service request system
to log and assign tasks to system owners
IT or data function can build
scripts to discover and update
data in various
- Poonam Warang (PwC India)
Privacy technology solutions have risen by 87% (44 tech
vendors - 2017 to 343 tech vendors in 2020)
The privacy tech offerings have matured from basic services
such as data mapping to deidentification
Clients with global presence need to adhere to multiple
regulations. 130 + countries have data privacy laws in place
accentuating the need to automate privacy compliance
Investing in tech solutions enables corporates to focus more on
their key competencies
by Enza Iannopollo with Amy DeMartine, Elsa Pikulik, Kate Pesa, and Peggy Dostie
March 30, 2020
• Chief Technology officer
• Chief Data Officer
the Org
Case Study #1 Build vs. Buy decision
One of the largest global telecom operator was enabling privacy compliance for their
organization. In our interaction with the client they emphasized the need to build privacy
automated solutions in house instead of onboarding third party solutions.
Decision criteria:
b. Matured IT set up as per global standards
c. Performance Impact and scalability of external
tools
considering long term annual licensing cost
PwC
A large SA retailer is gearing towards achieving Privacy compliance on PPI Act.
They have on boarded a privacy solution which offers multiple privacy enabling
technology products. However our client has chosen to be selective on the 4- 5 key
modules and leverage internal solutions for the rest
Case Study #2 Full technology enablement vs. Selective automation
Decision criteria:
a. Client lacked data mapping and impact assessment capabilities and it
would have required additional FTEs to periodically conduct such
assessments.
b. Further automating the data mapping activity facilitated maintenance of
the most updated version, required to demonstrate compliance
It lead to a decision of purchasing the data mapping assessment module
and key modules
c. Well established incident and breach management process reduced the
need to have an automated incident management solution
d. Privacy tool selection is considered for a shorter time frame (next 2-3
years) and potentially build their own solution
PwC
Data
Governance
How have we helped our clients with Privacy technology enablement?
Feasibility
study
• Technology
requirements
Key takeaways
Technology eases privacy compliance efforts however tech alone is no solution Inculcating privacy compliance culture is “Your” responsibility
Cost-benefit analysis is critical
One size doesn't fit all, define tech requirements suitable to your organization
Encourage inhouse “privacy tech” innovations
Focus on sustainable cost of compliance
Understand the exit strategy while onboarding new tech solutions
Know your priorities. Be careful of making tools part of your critical path to compliance on June 2021 if you have low maturity
PwC