OneTrust takes strategic focus on global privacy management

Transcription

1 OneTrust takes strategic focus on global privacy management Publication Date: 02 Aug 2018 Product code: INT Paige Bartley

2 Ovum view Summary In the countdown to the May 2018 deadline for the EU's General Data Protection Regulation (GDPR), OneTrust's marketing and messaging largely focused on meeting the specific requirements of the regulation. While the company has long been capable of comprehensive privacy management functionality independent of any single data protection directive, GDPR provided an upsurge of enterprise interest in capabilities and a highly effective marketing opportunity for the company. Now that the deadline has passed, OneTrust is focused on longer-term strategy and the evolving needs of global organizations. The enterprise, today in the post-deadline GDPR world, has shifted to a sustainable privacy planning and purchasing strategy, benefitting vendors such as OneTrust that can offer a deeply integrated suite of privacy management capabilities. Today, OneTrust in both its marketing and functionality is focused on helping the enterprise manage not only the requirements of GDPR, but a global privacy program that necessitates the coordination of various regional data protection regulations and policies. GDPR is the first domino to fall in global data protection As Ovum projected in the report 2018 Trends to Watch: Data Governance, GDPR has set off a global chain reaction of data protection and privacy regulation. A convergence of factors is at play: consumers are becoming more privacy-savvy and aware of the value of their data, and the economic pressure to do business with the EU has shaped local policy for data protection so that data can be transferred back and forth from Europe with minimal friction. The simplest mechanism for compliant data transfers between the EU and a non-eu region is for the non-eu country or region to have a blanket "adequacy decision" in place from the EU. This decision means that the legislation and data protection policies of the non-eu country or territory have been evaluated by the EU and have been deemed adequately protective of personal data, permitting seamless data transfer on a regular basis without additional safeguards or contractual agreements being put in place. Adequacy decisions are highly beneficial for businesses based outside the EU, because they streamline the compliance workflow and standardize data-handling practices. Because of this, many countries that regularly conduct business with the EU, or have EU customers, have elected to enact their own data protection regulations that are crafted in the spirit of GDPR. However, no country's data protection regulation is a carbon copy of the EU's. Each has its own variations and nuance, leading to headaches for the enterprise that must comply equally with all. GDPR, in a sense, is not an isolated phenomenon or a single deadline to be met; it is simply the tip of the data protection iceberg. Multinational organizations are now realizing that the challenge of privacy management isn't simply a list of checkbox requirements pulled from the text of GDPR. It is a global movement complete with regional variations in policy and consumer rights that must be coordinated and enforced. To meet such requirements, a point solution built to address just GDPR will not suffice. OneTrust, as a provider of process-oriented privacy management solutions, has long been agnostic to specific regulations. A dedicated team of privacy professionals constantly researches data protection and privacy trends around the world, shaping product functionality and features. For the company, this global trend of regulation is driving a steady acceleration in business interest, whereas point Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 solutions with a narrower GDPR-specific scope have seen a plateau or even decline in interest following the passing of the deadline. As global regulations become more numerous and complex, OneTrust's value proposition as a central coordinator of privacy processes and workflows has grown. Global privacy management programs take center stage Prior to the GDPR deadline, many procurement decisions were made in haste; legal, privacy, and DPO teams frequently made small, tactical point-solution purchases to address specific GDPR requirements, often without the involvement or knowledge of the IT department. This approach limited the strategic integration of these solutions into the broader information governance framework of the enterprise and did little to prepare the organization for future changes in the global data protection regulatory landscape. Initially, the primary objective was meeting the specific granular requirements of the EU regulation, with little focus on aligning compliance goals with long-term business strategy. While this purchasing strategy brought significant business to OneTrust the company's product suite addresses a broad swath of GDPR requirements it often limited the potential scope of deals. In the wake of the deadline, this perspective has shifted, and OneTrust has seen a corresponding change in the nature of inquiries it receives. The scope of RFIs and RFPs it receives has expanded, with organizations requesting information on an increasingly broad range of functionality and integration capabilities. Enterprise attitudes have changed; with the anticipated "Armageddon" of the GDPR deadline passing with little immediate impact, the typical enterprise has shifted the focus of its data protection strategy and purchase behaviors to align with more holistic business objectives and IT architecture. Today, a wider range of personas are involved in the data privacy product procurement process; IT and business units frequently have a more influential role in the purchase procedure today, and consequently, product evaluation focuses more on architectural integration and broader functionality. Data privacy increasingly falls under the purview of the chief data officer. Perhaps most importantly, post-gdpr, the enterprise has begun to focus on the global data privacy regulatory landscape. Instead of evaluating products based on their ability to meet the requirements of individual articles of GDPR, the enterprise is increasingly evaluating privacy management solutions on their ability to manage and coordinate multinational data privacy programs where different regions have differing regulatory requirements, and different groups of customers have differing rights. This requires an integrated approach, with focus not only on technology, but on people and process as well. This shift to long-term global privacy management is what drives OneTrust's business strategy in the post-gdpr era. While the company sees significant business opportunities from organizations that are still striving to meet basic requirements of GDPR, OneTrust sees even greater opportunity in leveraging its capabilities to help businesses architect sustainable data privacy programs that can adapt to changing global requirements. While many GDPR point solutions are struggling to craft meaningful positioning in the wake of the deadline, OneTrust is capitalizing on existing strengths to cement itself as a holistic global privacy management platform, rather than as a GDPR tool. OneTrust's capabilities provide global privacy management Data privacy is not just about technical controls for data. Encryption, masking, and access controls are necessary technical elements of a robust security and privacy effort, but a comprehensive privacy program is defined at a higher level by process management, human roles, and workflows. As no Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 single product can exert all the data controls necessary for privacy, it is more valuable to have a platform that can centrally manage privacy processes and integrate with various other tools to execute specific technical controls. OneTrust takes this approach, providing a central hub for the management of processes, as well as the central management and storage of data associated with risk assessments and consent. It integrates extensively with other technology tools, leveraging existing IT investments and enabling workflows that are triggered by actions in third-party products. Importantly, this methodology is agnostic to any particular regulation; it is built to adapt to and codify the existing human processes and workflows within the enterprise. While many vendors on the market have focused on offering functionality to meet requirements of specific privacy regulations, OneTrust provides a process-based framework and adds regulation-based functionality and templates as needs arise. Its privacy capabilities long predate GDPR. With an extensive research team of privacy professionals and professional services that are offered in conjunction with its products, the company's position in the market strengthens as the enterprise focus shifts to the management of global privacy frameworks. Today, OneTrust offers two broad categories of modular products, which are fully integrated with each other and work synergistically to meet data privacy requirements, both from an enterprise process perspective and a data subject rights perspective. Privacy program management products: These include assessment automation, data inventory and mapping, vendor risk management, and incident and breach management. Process-oriented in nature, they integrate with third-party products such as data loss prevention (DLP) tools and task tools such as Jira; integrations allow OneTrust to trigger and centrally manage workflows associated with privacy. Marketing and web compliance products: These include data subject rights management, website compliance scanning, cookie consent management, and universal consent and preference management. Largely geared toward the "outward-facing" controls for data subject preferences and rights, these capabilities fully integrate on the back end with the privacy program management products, and third-party products such as Eloqua, Marketo, and Salesforce, to create comprehensive workflows for the enterprise. Together, these capabilities address both the internal organization and assessments that are required for regulatory readiness and ability to demonstrate compliance, as well as the coordination of external input such as data preferences selected by data subjects on web properties. To meet the requirements of different global regulations, data subjects can be presented with different consent options depending on IP address or region. Crucially, all actions and preferences tie into the privacy workflows and documentation capabilities of the platform, offering the business a central hub for the coordination of an enterprise-wide privacy program. The OneTrust suite of products is available in more than 50 languages, helping multinational organizations centralize and coordinate their privacy efforts even when teams are spread across the globe. The company has deployments in more than 75 countries, meeting numerous diverse requirements for data privacy and helping coordinate policies across regulations. For OneTrust, the passing of the GDPR deadline does not mark the end of a marketing opportunity, as it may for some specialty compliance solutions. Rather, the maturing enterprise focus on global privacy strategy beyond the granular requirements of GDPR allows the company to leverage strengths that it has had all along, leading to larger deployments that are more extensively and Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 strategically integrated with existing enterprise IT infrastructure. With organizations taking a more holistic approach toward global data privacy program strategy, OneTrust's modular but tightly integrated approach allows the enterprise to address specific requirements and scale as needed. Appendix Further reading 2018 Trends to Watch: Data Governance, IT (October 2017) On the Radar: OneTrust's Privacy Management Software Platform aids compliance with data privacy regulations, IT (January 2017) "OneTrust and RSA partner to address GDPR-related challenges," IT (May 2017) Privacy as a Business Advantage, IT (January 2017) Author Paige Bartley, Senior Analyst, Data and Enterprise Intelligence paige.bartley@ovum.com Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 CONTACT US ovum.informa.com INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo