Computerworld - Anybody responsible for data privacy soon discovers a hard truth -- privacy compliance is a highly manual undertaking. Whether it's tracking where all of the company's data is or keeping up with changes in obscure privacy laws, the privacy professional is often sentenced to a life behind spreadsheets. If privacy didn't deal with cutting-edge social issues, it might contend for the most tedious job in the corporate center.
But the tedium may be lifting.
The privacy profession, which just 10 years ago fit into a single conference room in Washington, has grown large enough to form a reliable market for software products. When in 2006 I first estimated the North America-dominated privacy-advice market at $400 million, membership in the International Association of Privacy Professionals (IAPP) stood at 2,000. The IAPP now has over 6,000 members, according to its recent paper on the future of the privacy profession. Other benchmarks such as the number of privacy consultants and lawyers suggest the world privacy-advice market is now around $1 billion.
A handful of software entrepreneurs has noticed. Together they form what I'd call the "privacy GRC" market, where GRC stands for "governance, risk and compliance." GRC makes up most of what privacy people do.
It's not a big market. To put things into perspective, Gartner is only in its third year of analyzing the nascent IT GRC market. The privacy GRC market is at the moment no more than just a subset of that.
Nonetheless, the number of privacy GRC products is growing. Over the past year I noticed more of these booths at the privacy conferences I attended. So I commissioned research analyst Michael Lotti to help me investigate.
What did we find?
One of the biggest pain points of the privacy officer is the continued churn of new privacy regulations. Global corporations are now subject to an overlapping web of data privacy and security laws and standards. To cope, their privacy staff are busy tracking legislation and mapping the common requirements in each law to a set of unified control statements. An example of a control statement is "encrypt sensitive data transmitted outside Company networks." The privacy people -- months later, usually -- then group these controls into enterprise policies.
Most of the tools that Michael and I looked at -- including those from Archer, brinQa, Agiliance, ControlCase, Avior Computing and Consult2Comply -- automate this chore, albeit to varying degrees. Among these, Consult2Comply stands out from the crowd for the number of regulations mapped and the flexibility of how to reorient the mapping to your own needs.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
