Integris Software Survey Reveals Overconfidence, Struggles on Two Fronts as Companies Face Avalanche of Private Data
Government mandates, data-sharing agreements and spreadsheets sow confusion, bolster support for new federal law
- Integris Software study of data privacy management practices among mid to large enterprises finds 79 percent want a federal privacy law
- Study shows data privacy management overconfidence: 40 percent were “Very” or “Extremely Confident” in knowing exactly where sensitive data resides despite only taking inventory once a year or less; and a mere 17 percent of respondents are able to access sensitive data across five common data source types
- 40 percent of respondents had 50 or more data-sharing agreements (e.g., Cambridge Analytica) in place, and were much more confident of being in compliance with these agreements than their partners reciprocating in kind
- Although 80 percent had data privacy management budgets, only 11 percent cited that the majority of the budget resides in the privacy management department, and 10 percent said it wasn’t clearly defined
SEATTLE-A new comprehensive study of how top enterprises manage private data reveals significant enthusiasm for a federal privacy law amid organizations’ lack of ability to comply with data privacy rules stemming from both mushrooming government regulations and complex data-sharing agreements between companies. The study also reveals overconfidence in knowing where private data resides, and the use of inadequate tools such as spreadsheets to track it.
Integris Software’s 2019 Data Privacy Maturity Study gathered detailed responses from 258 mid to senior executives from IT, general management, and risk and compliance departments at US companies with at least 500 employees (62 percent had 5,000 or more employees) to assess how they manage private data. The results showed that while 79 percent of respondents support a federal privacy law, only 23 percent are fully prepared to comply with the existing California Consumer Privacy Act (CCPA) and only 36 percent reported being fully prepared for the more established General Data Protection Regulation (GDPR).
The survey exposed the lack of visibility companies have on where their data lives. Nearly 45 percent of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides. Yet fewer than half (45 percent) of respondents take an inventory of personal data more than once a year or only in reaction to an audit.
An alarmingly low 17 percent of respondents are able to incorporate all five common data types into their privacy management program: structured data, unstructured data, semi-structured data, cloud-based applications, and data in-motion. This lack of visibility could be due to the fact that 77 percent of respondents reported using methods such as manually updated spreadsheets and surveys to track and inventory personal information while 61 percent relied on custom-written computer code.
Despite these huge deficits in privacy management technical maturity, 40 percent of respondents were “Very” or “Extremely Confident” they know exactly where sensitive data resides.
“If you’re not taking a real-time inventory of personal data across all data source types, then you’re going to have huge blind spots when it comes to knowing what sensitive data is sitting in your organization,” Integris CEO Kristina Bergman said. “Point-in-time knowledge is obsolete within a day due to the constantly changing nature of data in a hyper-connected world.”
In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements with 63 percent of respondents citing privacy concerns on data-sharing agreements. Forty percent of respondents had 50 or more of these data-sharing agreements in place. But respondents were generally pessimistic about their partners’ ability to comply with the agreements. Respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.
“Whether it’s complying with regulations, contracts, or internal use policies, continuous defensibility boils down to knowing where your sensitive data resides and your ability to map that data back to data handling obligations.” Bergman said. “These survey results highlight the urgent need for companies to operationalize and automate their data privacy management programs to handle their mass volumes of private data and an increasingly diverse and complicated set of obligations.”
The encouraging news is that organizations showed high levels of organizational maturity in their data privacy management programs. More than 80 percent of respondents reported having budget dedicated to data privacy management, 90 percent had a data privacy awareness program in place, and 93 percent had a process in place to identify and mitigate privacy risk. Unsurprisingly, most organizations (88 percent) are increasing their data privacy management budgets in 2019. One third (33 percent) of respondents are increasing their data privacy management budgets by 25 percent or more.
The study’s other core findings include:
- 81 percent believe businesses risk losing customers due to inadequate data privacy practices
- 55 percent think employers risk losing their own employees due to inadequate data privacy practices
- 50 percent of data privacy management budgets are concentrated in IT departments (InfoSec, data infrastructure, IT operations, and software development)
“Privacy is increasingly being operationalized by the data management team within the CTO organization,” Bergman said. “Forward looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.”
The full 2019 Data Privacy Maturity Study is now available from Integris Software and those looking to learn more can register for an upcoming webinar featuring:
- Dana Simberkoff, CIPP/US, Chief Risk, Privacy and Information Security Officer, AvePoint
- Faith Knight Myers, CIPM, CIPP/US/EU, Vice President Global Privacy, McKesson
- Kristina Bergman, Founder and CEO, Integris Software
About Integris Software
Integris Software, the global leader in data privacy automation, helps enterprises discover and control the use of sensitive data in a way that protects privacy and fuels innovation.
Privacy is now critical to an effective data protection strategy. By sitting upstream from security, Integris tells you what data is important and why so you can be precise in your InfoSec controls.
Integris works securely, at scale, no matter where sensitive data resides. You get a live map of your sensitive data where you can apply policies, surface issues, fulfill DSAR requests, and automate remediations via your broader ticketing and InfoSec ecosystem.
Regulations like GDPR and the California Consumer Privacy Act (CCPA) are triggering knee-jerk reactions as companies lock down their data for fear of misuse. With Integris, there is finally a way to use your data without fear.
RH Strategic for Integris Software