I have already covered quite a lot of ground in the space of third-party audits, or the vetting of data processors.

Things have evolved fast. There was a time when most people conflated personal data protection (EU), or data privacy (US), with information security. Any SaaS founder would have quickly pointed towards their ISO27001 (EU) or SOC2 (US) when asked about their privacy compliance credentials. This made some sense, as cybersecurity teams have traditionally had much more of a say (and a much larger budget) than DPOs (EU) or Chief Privacy Officers (US). It was their thumbs-down that procurement teams saw as an intractable red flag.

The same legacy culture would drag conversations about “personal data” into the old “PII” (Personally Identifiable Information) debate where, once again, executives found certainty and comfort in clear-cut concepts that never had to contend with the possibilities of algorithms or data processing at scale.

Then came public enforcement of personal data or privacy laws, quite often on the back of data breaches. AI-specific laws, and a wider application of privacy laws to AI decision-making followed. Third parties have constantly proven to be the weakest link in this new reality.

Exhibiting a company’s security credentials and cookie-cutter paperwork was suddenly not enough for either data processors or data controllers engaging them. Putting the complexities of international data transfers aside, a new level of scrutiny became the new norm. Self-graded reports and paid-for seals of accreditation that once kept security teams happy would now have to face an additional degree of diligence.

Paradoxically, it is AI-driven automation, and the scale this has brought to the once thorough efforts stemming from the overarching principle of accountability, that has cast a new light on privacy or data protection credentials. At a point when anybody can produce an impressive amount of prose, the same can be stripped down to its real value (or boiled down to nothing) in a matter of seconds.

Companies used to hide behind their “literature”, be it in the form of third-party assessments or the DPIAs that followed their deployment. Those who mastered the structure of these documents, rather than the technical or organizational measures that truly addressed the risks involved, are suddenly left without anything to show for it. Their moat is now a commodity.

This can only be good news for businesses that have really understood Privacy by Design principles and implemented data minimization practices. At long last, their efforts can be rewarded by a more nuanced analysis of the competing alternatives in each category.

Our upcoming Vendor Watch service is a first attempt to both reflect this new reality and create meaningful value on top of it. Please feel free to reach out to us if you want to find out more about it.