A new comprehensive study of how top
enterprises manage private data reveals significant enthusiasm for a
federal privacy law amid organizations’ lack of ability to comply with
data privacy rules stemming from both mushrooming government regulations
and complex data sharing agreements between companies. The study also
reveals overconfidence in knowing where private data resides, and the
use of inadequate tools such as spreadsheets to track it.
Integris
Software’s 2019 Data
Privacy Maturity Study gathered detailed responses from 258 mid to
senior executives from IT, general management, and risk and compliance
departments at US companies with at least 500 employees (62 percent had
5,000 or more employees) to assess how they manage private data. The
results showed that while 79 percent of respondents support a federal
privacy law, only 23 percent are fully prepared to comply with the
existing California Consumer Privacy Act (CCPA) and only 36 percent
reported being fully prepared for the more established General Data
Protection Regulation (GDPR).
The survey exposed the lack of visibility companies have on where their
data lives. Nearly 45 percent of respondents said they needed to access
50 or more data sources to get a defensible picture of where their
sensitive data resides. Yet fewer than half (45 percent) of respondents
take an inventory of personal data more than once a year or only in
reaction to an audit.
An alarmingly low 17 percent of respondents are able to incorporate all
five common data types into their privacy management program: structured
data, unstructured data, semi-structured data, cloud-based applications,
and data in-motion. This lack of visibility could be due to the fact
that 77 percent of respondents reported using methods such as manually
updated spreadsheets and surveys to track and inventory personal
information while 61 percent relied on custom-written computer code.
Despite these huge deficits in privacy management technical maturity, 40
percent of respondents were “Very” or “Extremely Confident” they know
exactly where sensitive data resides.
“If you’re not taking a real-time inventory of personal data across all
data source types, then you’re going to have huge blind spots when it
comes to knowing what sensitive data is sitting in your organization,”
Integris CEO Kristina Bergman said. “Point-in-time knowledge is obsolete
within a day due to the constantly changing nature of data in a
hyper-connected world.”
In the wake of the misuse of data sharing agreements like the one
between Facebook and Cambridge Analytica, enterprises seem to be more
aware of such agreements with 63 percent of respondents citing privacy
concerns on data-sharing agreements. Forty percent of respondents had 50
or more of these data-sharing agreements in place. But respondents were
generally pessimistic about their partners' ability to comply with the
agreements. Respondents reported being 43 percent more confident in
their ability to be compliant compared to how they perceived their
partners.
“Whether it’s complying with regulations, contracts, or internal use
policies, continuous defensibility boils down to knowing where your
sensitive data resides and your ability to map that data back to data
handling obligations.” Bergman said. “These survey results highlight the
urgent need for companies to operationalize and automate their data
privacy management programs to handle their mass volumes of private data
and an increasingly diverse and complicated set of obligations.”
The encouraging news is that organizations showed high levels of
organizational maturity in their data privacy management programs. More
than 80 percent of respondents reported having budget dedicated to data
privacy management, 90 percent had a data privacy awareness program in
place, and 93 percent had a process in place to identify and mitigate
privacy risk. Unsurprisingly, most organizations (88 percent) are
increasing their data privacy management budgets in 2019. One third (33
percent) of respondents are increasing their data privacy management
budgets by 25 percent or more.
The study’s other core findings include:
-
81 percent believe businesses risk losing customers due to
inadequate data privacy practices
-
55 percent think employers risk losing their own employees due
to inadequate data privacy practices
-
50 percent of data privacy management budgets are concentrated
in IT departments (InfoSec, data infrastructure, IT operations, and
software development)
“Privacy is increasingly being operationalized by the data management
team within the CTO organization,” Bergman said. “Forward looking
organizations are treating privacy as part of a broader data protection
strategy where privacy tells you what’s important and why, and security
is the how.”
