There is a significant enthusiasm for a federal privacy law amid organizations’ lack of ability to comply with data privacy rules stemming from both mushrooming government regulations and complex data sharing agreements between companies.
Organizations are also overconfident in knowing where private data resides, and tend to use inadequate tools such as spreadsheets to track it.
Integris Software’s 2019 Data Privacy Maturity Study gathered detailed responses from 258 mid to senior executives from IT, general management, and risk and compliance departments at US companies with at least 500 employees (62 percent had 5,000 or more employees) to assess how they manage private data.
The results showed that while 79 percent of respondents support a federal privacy law, only 23 percent are fully prepared to comply with the existing California Consumer Privacy Act (CCPA) and only 36 percent reported being fully prepared for the more established General Data Protection Regulation (GDPR).
The survey exposed the lack of visibility companies have on where their data lives. Nearly 45 percent of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides.
Yet fewer than half (45 percent) of respondents take an inventory of personal data more than once a year or only in reaction to an audit.
An alarmingly low 17 percent of respondents are able to incorporate all five common data types into their privacy management program: structured data, unstructured data, semi-structured data, cloud-based applications, and data in-motion.
This lack of visibility could be due to the fact that 77 percent of respondents reported using methods such as manually updated spreadsheets and surveys to track and inventory personal information while 61 percent relied on custom-written computer code.
Despite these huge deficits in privacy management technical maturity, 40 percent of respondents were “Very” or “Extremely Confident” they know exactly where sensitive data resides.
“If you’re not taking a real-time inventory of personal data across all data source types, then you’re going to have huge blind spots when it comes to knowing what sensitive data is sitting in your organization,” Integris CEO Kristina Bergman said.
“Point-in-time knowledge is obsolete within a day due to the constantly changing nature of data in a hyper-connected world.”
In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements with 63 percent of respondents citing privacy concerns on data-sharing agreements.
Forty percent of respondents had 50 or more of these data-sharing agreements in place. But respondents were generally pessimistic about their partners’ ability to comply with the agreements. Respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.
“Whether it’s complying with regulations, contracts, or internal use policies, continuous defensibility boils down to knowing where your sensitive data resides and your ability to map that data back to data handling obligations.” Bergman said.
“These survey results highlight the urgent need for companies to operationalize and automate their data privacy management programs to handle their mass volumes of private data and an increasingly diverse and complicated set of obligations.”
The encouraging news is that organizations showed high levels of organizational maturity in their data privacy management programs. More than 80 percent of respondents reported having budget dedicated to data privacy management, 90 percent had a data privacy awareness program in place, and 93 percent had a process in place to identify and mitigate privacy risk.
Unsurprisingly, most organizations (88 percent) are increasing their data privacy management budgets in 2019. One third (33 percent) of respondents are increasing their data privacy management budgets by 25 percent or more.
The study’s other core findings include:
- 81 percent believe businesses risk losing customers due to inadequate data privacy practices
- 55 percent think employers risk losing their own employees due to inadequate data privacy practices
- 50 percent of data privacy management budgets are concentrated in IT departments (InfoSec, data infrastructure, IT operations, and software development)
“Privacy is increasingly being operationalized by the data management team within the CTO organization,” Bergman said. “Forward looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.”