8 Awkward Questions to Ask your Privacy & Compliance Vendor

By Ketch / May 21, 2021

Demand clear answers to find a privacy solution that meets your needs

Every data-privacy vendor claims their software is the best on the market — but you can’t simply take a vendor’s claims at face value. Instead, you need to spend time talking to them, and digging through the details of their technology and their approach to data privacy.  

This process can feel a bit like speed-dating: the stakes are high, but you’ve got limited time in which to figure out whether a given vendor is a good match. To maximize your chance of success, it helps to formulate a short, incisive list of questions designed to elicit the information you need to make a smart decision. 

What questions should you ask, exactly? That depends on your specific needs. Still, there are a few key questions that every vendor should be able to answer to your satisfaction:

1. How do you handle web infrastructure like tags and cookies?

It’s all too common, especially in Europe: marketing service providers and other third parties gather data from your website before you’ve had a chance to confirm consent from visitors. Figuring out this kind of web infrastructure can be a real headache if your privacy management system doesn’t provide turnkey tools to ensure tags and cookies don’t fire until consent is captured.

The best data privacy solutions integrate with your tag manager to delay data collection until after consent is confirmed. Look for a simple, straightforward system that automates this process to ensure compliance, but still leaves you in control of your web infrastructure.

2. How do you manage consent orchestration and synchronization? 

Consent and data request signals aren’t worth much unless they rapidly propagate across your whole data ecosystem, including outside partners using your data. Make sure you understand exactly how a vendor synchronizes consent signals, and how they cope with complex scenarios such as internal cloud systems or service providers that lack privacy APIs. 

The best solutions offer robust, fully automated consent orchestration. At Ketch, for instance, we offer a drag-and-drop marketplace of service providers, workflow tools, and privacy materialization for service providers without privacy APIs.

3. Do you automate Data Subject Rights requests?

When you receive a rights request, you need to be able to honor it swiftly — even if it means changing permissions or deleting data in a service partner’s system. Few solutions genuinely automate this process: most supposedly automated systems merely supply workflow tools or send form emails, leaving you to manually verify compliance.

The best vendors go further by docking with service providers’ systems to deliver fully automated DSR execution. Such solutions guarantee not just that requests are passed on, but that they are acted upon, reducing costs and eliminating the potential for human error. 

4. What happens if the rulebook changes?

To cope with new regulations, you need a solution that lets you easily apply new policies and refine interpretations. Many data privacy platforms struggle with this, requiring users to pay extra for new jurisdictions or regulatory modules, or to enable full customization of policy interpretations.

At Ketch, we believe software should cover every privacy regulation on the planet by default, with no hidden costs or feature creep. Whether you’re moving into new markets, changing the legal basis for using data, or rethinking the way regulations apply to your business, you should be able to rely on your data privacy solution to give you the functionality you need.

5. Can you customize privacy experiences?

You wouldn’t let someone else dictate your marketing materials or website copy, and you shouldn’t surrender control of your privacy messaging either. Surprisingly, many platforms block you from changing the wording, styling, and timing of privacy notifications, or force you to jump through hoops and deal with support desks or tech teams to implement changes.

The best platforms keep you fully in control of your messaging, with built-in content management tools for creating and polishing privacy notifications. Look for solutions that also allow you to optimize delivery timing and share messages when they’re most needed, without interrupting the user experience. 

6. Is your system cookie-based?

It’s disheartening that you need to ask this question in 2021, but many vendors’ offerings focus more on keeping up appearances than on delivering rich consent management solutions. Far too many still rely on privacy banners and cookie-based consent choices designed for site functionality rather than regulatory compliance.

Cookie-based solutions can’t deliver the full-spectrum consent and privacy toolkit you need. Instead, seek out comprehensive solutions that enable fully compliant privacy experiences, and effectively manage data across your entire ecosystem.

7. Does your solution support identity management?

We’re all individuals, but most privacy solutions still manage privacy on a per-device basis. That subjects people to the same consent requests again and again as they switch from smartphone to iPad to laptop, leading to a choppy user experience and complicating orchestration with downstream service providers who use their own digital IDs. 

The best solutions use identity infrastructure to manage consent on a person-by-person basis. Done right, this approach delivers a seamless, personalized, and fully orchestrated approach no matter which device a person uses. 

8. Does your solution go beyond consent management?

Most data-privacy solutions focus on consent management, but consent is just one of the legal bases for collecting and processing data. It’s important to use solutions that are basis-agnostic, and give you the freedom to make the right decisions for your organization.

The best solutions also allow you to capture the specific purpose for which data can be used, allowing granular consent and privacy management. A user should be able to consent to having their data used for personalization but not for analytics, for instance, and your data privacy solution should be able to enforce their choice across your ecosystem.

Trust your instincts 

These questions aren’t easy to answer, and that’s deliberate — you can learn a lot from the way sales teams respond. Trust your instincts: if you sense that a vendor is dodging questions or refusing to give a straight answer, that’s a clear red flag.

The ideal vendor will show a deep understanding of the sector, and will be curious about the specific challenges you’re facing. They’ll also explain clearly how they can help deliver the functionality you need — and they’ll be frank and forthright in acknowledging any areas where their solution might not be right for you.

At Ketch, we take pride in our products, and we’re looking forward to finding out about your business. So get in touch — we’re ready to answer any questions you want to throw our way. For even more guidance while shopping for a CMP, check out our buyers guide here.

Share this: