BigID, in partnership with the International Association of Privacy Professionals (IAPP), has released a new report that provides insight into global patterns of end user data requests and management patterns. “The State of Privacy Data Rights Around the World” is the first survey of this nature of enterprise privacy professionals on a global scale, including over 475 respondents currently working to keep organizations compliant with legislation such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and the Lei Geral de Proteção de Dados Pessoais (LGPD). The respondents come from every region of the world, though the majority (80%) are from the US or the EU.
Key takeaways from the pioneering data rights report include that access and deletion are the most common types of requests, half of all organizations see data discovery as their primary area of future investment, and that data accountability is a major technical challenge.
Data rights around the world
Investment in data discovery capabilities can be tied directly to the mandates created by new privacy regulations, judging by the fact that US companies are currently the leading investors in data rights management resources (which is tied to the implementation of the CCPA). BigID anticipates similar spikes in spending as new data rights regulations come online. While a little over half of all global respondents are committed to future spending on data discovery / inventory / mapping, only about one-third plan to spend on consent and preference management and consumer portal elements. Only 8% said that they intended to invest in advisory services.
The survey also shows that data requests are overwhelmingly coming from consumers (75%). Current and former employees make up only 15% of requests respectively. However, there are substantial geographic variations here; employee requests for data are much more frequent in the EU than they are in the US.
50% of organizations are also already processing data rights requests from anyone in the world, with this being a more common state of affairs in the EU than anywhere else. Given the state of data privacy laws in the country, US companies are focusing very heavily on residents of California.
In terms of requests types, most consumers (83%) are asking for access to data and organizations are supporting these requests at a 97% rate. 77% of consumer data rights requests include deletion of personal information, 46% include either an “opt out” or “do not sell” status and 23% are rectification requests.
Identity verification methods vary greatly by region of the world. In the United States, most users are verified either by email only or by requiring an account login with a valid password. The use of photo identification is much more common in all other regions of the world, but particularly in non-EU Europe. None of the regions of the world have taken up identity proofing platforms in large numbers, with the US leading at 18% of respondents making use of one.
How are organizations building their data inventories? Almost exactly half are using organizational surveys, 38% are using data catalogs, 32% are using privacy-specific data discovery and 30% are using data classification tools. Consultants are only being employed for this task at a rate of 20% globally.
The primary metric that companies are using to measure the success of data rights strategies is the number of DSARs received (62%). 56% track average DSAR response time, 44% send out customer satisfaction surveys, 36% account for the fines that they have likely avoided, and 13% tabulate the cost per DSAR response. In terms of measuring the maturity of data rights programs, 46% of organizations plan to benchmark against industry peers. 37% judge by degree of automation implemented, 31% tally up the percentage of data systems or data stores covered, and 27% are benchmarking against privacy peers. Though respondents have a fair interest in automation, it is not widely in use yet; 82% are still managing their requests manually with a submission form or front-end portal and only about 26% have back-end automation elements in place. 74% of organizations are also either using an entirely manual name search system or a combination of manual and automated search.
Of the organizations that are receiving a high volume (over 1,000) of access requests this year, the majority (53%) are in the US. 33% are in the EU, 5% are in non-EU Europe and 9% are in other regions of the world.
Increasing importance of budgeting for data rights programs
In addition to the laws named here that are already online, a number of data privacy initiatives are in the works and expected to be active within the next few years: India’s Personal Data Protection Bill, the UK’s independent GDPR equivalent, whatever resolution there might be to the uncertain data transfer framework between the EU and US, and whatever federal standard the US ends up settling on in the wake of the 2020 election.