It’s been a busy past year for those working in the data privacy industry. 2020 welcomed the implementation date (January 1, 2020) and enforcement date (July 1, 2020) of the California Consumer Privacy Act (CCPA).
Workforce issues surrounding the coronavirus pandemic put pressure on data privacy professionals, as well. The rapid rollout of technology to enable remote work during the pandemic presented both security and privacy challenges, especially as it concerns the processing of employee health data and new remote employee monitoring. The ballot initiative, Proposition 24, the California Privacy Rights Act (CPRA), was approved by California voters on November 3, 2020, which goes into force on January 1, 2023. Rounding out this busy year for data privacy professionals, in spring 2021, Virginia passed its Consumer Data Protection Act (CDPA), which also takes effect on January 1, 2023. Thus, adding a new acronym to the ever-expanding list of data privacy terminology.
| Read More: Common Acronyms in the Data Privacy Industry → |
Time to implement data privacy management software
At G2.com, our focus is on capturing real-world user reviews of B2B software products and services. We use the available user data to power our analysis of software markets in real time, and in turn, help future buyers of business technology purchase different software products and services more intelligently.
What is Data Privacy Management Software?
Data privacy management software helps companies operationalize their corporate privacy programs by providing data mapping, discovery, and classification tools for sensitive data; consumer request or data subject request (DSR/DSAR) functionality. It also has additional features such as identity verification, de-identification or pseudonymity, PIA, breach notification, consent management, and website tracking scanning.
One of the data points I’d like to highlight for data privacy professionals in the market for data privacy management software is the time it has taken your peers to implement these products. Below is a chart showing implementation time for products including TrustArc, DataGrail, Secure Privacy, SAI360, Collibra, SureCloud, DPOrganizer, and OneTrust. Products included in the Implementation Index for Data Privacy Management, Spring 2021 list below have received a minimum of 10 reviews and 5 responses for each of the implementation-related questions featured in our survey by March 02, 2021.
The shortest implementation times hover around one month
On average, users report the implementation period for data privacy management solutions to be 90 days. The shortest implementation has been cited as DPOrganizer at just under one month, followed by Secure Privacy, with an implementation time of a month and a half. The majority of the reviewers of both companies were from small businesses (50 or fewer employees) and mid-market firms (51-1000 employees).
According to G2 data, 77% of DPOrganizer’s reviewers came from the small and medium-sized business segments, and 93% of Secure Privacy’s reviewers also came from the same segments.
The longest implementation times are just over five months
With the average reported implementation times for data privacy management to be three months, the longest implementation periods are reported at just over five months. SAI360 reported an implementation period of 159 days and Collibra completed theirs in 156 days. This is not surprising to me since these two products serve a large enterprise customer base. G2 data shows 77% of SAI360’s reviewers came from enterprise-level companies, with over 1000 employees, while 50% of Collibra's reviewers are from enterprise-level companies as well. OneTrust, despite 54% of their reviewers coming from enterprise-level companies, has an implementation timeframe of 78 days, nearly half of SAI360 and Collbira’s.
The longer reported duration of implementing data privacy management software at enterprise-level companies does not surprise me. Given the size of enterprise-level companies and their national and global reach, completing sensitive data discovery, data mapping, and making data privacy policy decisions that inform the company’s data privacy management software implementations, would likely be more involved and include more decision makers.
Your own data privacy operationalization timeline
I’d like to encourage data privacy professionals to use the software implementation information above to guide your company’s adoption timeline for new privacy-program technology. Right after the CCPA became law, I noticed several data privacy software companies offering fast-track implementations, known as “CCPA in a day” offerings. Hopefully with advanced planning, you won’t be forced to implement a solution in a rush to meet your company’s CPRA and CDPA compliance objectives.
| Related: A Complete Guide to Data Privacy Management → |
At the time of writing this piece in May 2021, 20 months are remaining until CPRA and CDPA come into force, so you should have plenty of time to properly implement a data privacy technology solution if you start early. Let’s say you’d like to give your team a three-month buffer time after implementing a new software before the new legislation comes into force, which puts you at completing your implementation by October 1, 2022. If you select a data privacy management solution with an average implementation duration of 90 days, you’d have to start implementing the software product by July 1, 2022. That means you need to select your software before that.
In terms of selecting a data privacy management software solution, there are many factors to consider for your specific company, such as manual or automated data discovery, so you may want to begin narrowing down your search now and getting input from decision makers several months in advance. I highly recommend you use the G2 Grid® for Data Privacy Management to evaluate products. Use G2’s compare feature to stack software products against one another for comparison purposes, and read real-world user reviews of data privacy management software products.
Go plan your summer vacation
After such an action-filled year, data privacy professionals have certainly earned a break. As you schedule your team’s time off for vacations (shout out to the “teams of one”), consider the timelines ahead of you in terms of operationalizing your company’s data privacy program and implementing new technology—especially as it relates to the CPRA and the CDPA going into effect in January 2023. Depending on your company’s specific needs, size, complexity, and stakeholder buy in required to purchase software to comply with CPRA or CDPA, you may want to start searching for data privacy management software as early as now, but no later than the beginning of 2022 to give yourself ample time to select, implement, and test your solution.
But what does this timeline really mean? It means you should really take a summer vacation this summer. Go enjoy some much-deserved time off, privacy pros. We have a lot of work ahead of us all, and we all deserve a break.
Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.
Want to learn more about Data Privacy Software? Explore Data Privacy products.
Merry Marwig, CIPP/US
Merry Marwig is a senior research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.
