Companies Need a Privacy Partner, Not Just a Privacy Consultant
This is a concept that I have learned with our clients while being a part of the consulting team at TrustArc.
Having been a privacy officer (both as an attorney and a non-attorney) in several industries.
Healthcare, medical devices, emerging technology, and with clients ranging from local government to national, from financial to education in the global realm and specifically within the US sectors – I can’t say that I’ve seen it all.
Still, I have seen a whole lot of it. No one person can possibly be an expert in all areas of data privacy and data protection. However, at TrustArc, we have a team, tools, and methodology critical to our customer’s success.
Companies Need a Privacy Partner
They need a team that can not only assess them for the European Union (“EU”) General Data Protection Regulation (“GDPR”) readiness but can also review their EU/US Privacy Shield compliance needs or review cross-border transfer mechanisms in general.
Such as Binding Corporate Rules (“BCRs”) or Cross Border Privacy Rules (“CBPRs”) in the Asia Pacific.
And then map that to their GDPR requirements or to their HIPAA compliance in the US, and even support framework questions.
Whether HiTrust, the International Organization for Standardization (“ISO”), or the National Institute of Standards and Technology (“NIST”) – or other frameworks.
Further, a privacy partner can review the legal requirements, assess policy application, understand implementation constraints and flexibility, and adjust the approach based on client expectations, level of maturity, industry standing, and future considerations.
Being able to partner in this way with companies is a professionally satisfying experience. Every client is different and requires a different set of knowledge, skills, and mindset.
At times clients may come to us with one need – to assess Privacy Shield readiness (and over 500 companies have approached TrustArc for this), but realize during that time that they have multiple needs that are identified and have not been addressed.
Or they simply click with the team and TrustArc approach and engage us as a partner in several more areas.
In that case, is TrustArc a serial partner?
I have found that typically we become an ongoing privacy partner.
Perhaps we start by building a Privacy Impact Assessment (“PIA”) for EU data use, and then expand that assessment to PIAs for other areas, such as HIPAA in the US, or other geographic-specific needs.
It is made possible by keeping the needs of the customer in mind – sure, we’re only building a PIA for HIPAA, but if we add in certain gating questions, then you can use one initial PIA to divert to specific PIAs based on region or State and the personal information involved.
We have the technical expertise to build that into the process.
And it’s Not All About People
TrustArc tools make it easier for me to do my job. I also get to help design some of the tools given my industry knowledge.
For example, most companies desperately need a data inventory done – we can do it.
Also, companies will insist to me that they have no unnecessary cookies on their websites – we can run a test for cookies.
But beyond that, companies can use our technology to enhance their own capabilities, such as using our Assessment Manager platform to run their Privacy Impact Assessments (which are required under several privacy regimes).
The really valuable aspect from all of this is that we are not about a single consultant, we are TrustArc. I have little experience in FERPA, but if the customer I am working with has a FERPA element, I can tap a colleague.
As a partner, we engage in frank conversations with the company and truly function as a partner, not as a generic consultant. We have your best interests at heart and look to develop that ongoing relationship that works to your benefit.
Why Do You Need a Privacy Partner?
Someone who serves in an ongoing role that
- tackles the heavy lifting,
- listens carefully,
- provides a heads up on overlapping issues in order to fill several requirements with one action,
- watches for duplication,
- foresees possibilities for expansion,
- and is open and frank in addressing who you are as a company, with your needs, constraints, flexibility, timing, maturing, standing, and drivers.
We’re not selling you a product (although we can); we are offering you a cost-effective, widely experienced, highly efficient, privacy partner.