A comprehensive new study (“2019 Data Privacy Maturity Study”) from Seattle-based Integris Software suggests that many mid- to large-sized enterprises simply are not prepared for the avalanche of private data in the marketplace today, or for the growing proliferation of data sharing agreements with other companies. Add in the fact that government regulations appear to be mushrooming on a state-by-state basis across the United States, and it’s easy to see why a clear majority (79%) of these enterprises now support a federal privacy law that would provide clear guidelines on data sharing and data inventory practices.
The need to upgrade data sharing and data inventory practices
Notably, even though a majority of these mid- to large-size enterprises (defined as those with more than 500 employees) support an overarching federal privacy law to help them make sense of an increasingly complex and convoluted data privacy landscape, there is still a long way to go to bring their data sharing and data inventory practices up to certain minimum levels.
One big problem, as suggested by the Integris survey, is that there is a “privacy blindspot” at many organizations. While enterprises think they are making every effort to upgrade their data sharing and data inventory practices, the sheer amount of personal data they need to manage is making it close to impossible to do so effectively.
To give an idea of the growing size of the problem, 40% of enterprises surveyed had more than 50 data sharing agreements with other organizations in place. While those data sharing agreements could represent a form of competitive advantage if enterprises are able to develop a much better profile of their typical customer based on this additional personal data, they also represent a form of risk. As Integris points out in the report, it is exactly these sorts of data sharing agreements that led to the Facebook Cambridge Analytica scandal last year.
Quite simply, companies are not always aware of where their sensitive data resides, or how it is being used throughout the organization. For example, less than half of enterprises surveyed conduct an inventory of personal data more than one time a year. Moreover, 45% of enterprises need to access more than 50 data sources in order to find, track and monitor personal data. That puts a lot of stress and strain on data sharing and data inventory practices. Companies are not only expected to provide a description of the data, but also they are expected to have data security practices in place that help to protect that data, especially sensitive personal information.
Even more disturbingly, most organizations are relying on a highly inefficient process for tracking and monitoring personal data throughout the organization. Instead of automating business processes, they are relying on highly manual processes. In fact, according to the Integris survey, a staggering 77% of enterprises use manually updated spreadsheets and surveys in order to track and inventory personal information.
“Tracking where sensitive data is stored and processed, both within the company and with third parties, is a huge challenge for most enterprises,” says Integris CEO Kristina Bergman. “Companies struggle to deal with the volume, variety, and velocity of data. Gone are days of being able to point to a farm of relational databases that contain your data. Data is in the cloud, it’s structured, unstructured, and increasingly in motion. Manual surveys and spreadsheets don’t work in this new environment. The only way to address the issue is to automate the identification and tagging of personal data across all systems in real-time, map them back to regulatory rules and contractual obligations, and automate actions.”
A false sense of confidence about data privacy management
Given these clear shortfalls in data sharing and data inventory practices highlighted by Integris, one might assume that enterprises are in a state of panic about what to do next. That is not the case, judging on the results of the Integris survey. For example, 40% of those surveyed were either “very confident” or “extremely confident” in their data privacy management practices.
In part, this false sense of confidence stems from the fact that mid- to large-size enterprises are dedicating time, money and resources to the problem. Most importantly, 80% of those surveyed had specifically designated data privacy management budgets. For 50% of these organizations, the data privacy management budget resides within the broader IT department. Only 11% of those enterprises with a data privacy management budget also had a privacy management department. And, in 10% of the cases, the budgetary authority was “not clearly defined” (suggesting that, perhaps, these funds were not being spent in the most effective manner).
The prospect of a new federal privacy law
Even though enterprises are confident (and perhaps even over-confident) about their data sharing and data inventory practices, does that mean that they are really ready for a new federal privacy law? From one point of view, such a federal privacy law would help to streamline the day-to-day business processes of an organization. For example, instead of creating one set of workflows and data sharing practices for Washington State, and another set of workflows and data inventory practices for California, enterprises could merge both workflows into one high-level workflow at the federal level.
However, the big question is whether enterprises are really able to scale their data sharing and data inventory practices past a certain level. Enterprises with more than 500 employees, for example, typically have far-flung operations all over the globe. Moreover, they have a huge network of vendors, suppliers and partners. Recognizing the inherent complexity involved in navigating all of this personal data, only 23% of enterprises said they were ready for the upcoming California Consumer Privacy Act, which is set to go into effect in 2020. Moreover, only 36% said they were ready for the General Data Protection Regulation (GDPR), which went into effect in May 2018. This last figure is particularly troubling, because it has now been almost one year since the GDPR went into effect, and the majority of enterprises are still having a hard time coping with the new rules surrounding data subjects, data mapping, data sharing and data inventory.
Thus, this might be a case of being careful of what you wish for. A comprehensive U.S. data law at the federal level might seem like a good idea now, but the actual enactment of such a law might only further highlight deficiencies in data sharing and data inventory practices at the world’s largest enterprises.