Study: When It Comes To Data Privacy, Firms May Suffer from ‘Overconfidence’

Even as many companies are confident in their abilities to deliver data privacy, a study suggests that on-the-ground realities may signal more may need to be done. IDN explores the state of data privacy management with execs from Integris Software, author of the study.

Tags: AI, automation, data management, GDPR, Integris, privacy, study,

Elias Terman, Integris Software
Elias Terman
vice president,
global marketing
Integris Software


"Companies say they’re confident about meeting data privacy. But our study shows many may not have data visibility or automation they need."

Application Architecture Summit
Modern Application Development for Digital Business Success
July 25, 2019
Online Conference

When it comes to companies’ ability to deliver data privacy, 2019 could be a combo of great expectations – and times that aren’t quite as good as expected.

 

A recent study from Integris Software reveals that even as many companies are confident in their abilities to deliver data privacy, a deeper look at on-the-ground realities reveals more may need to be done.

 

For 2019, the study paints a revealing picture – where data privacy management is a mix of rosy expectations and a practical reality that might not meet such expectations.

 

“The study reveals a little bit of a paradox,” Elias Terman, Integris vice president of global marketing told IDN. “We think there’s a little overconfidence out there – given the complexity of the data privacy challenges we see out there.”

 

Terman explained the findings this way:  “Companies say they’re confident about meeting data privacy. But our study shows many  may not have data visibility or automation they need.”
 
So let’s parse the Integris study results.

 

On the ‘rosy’ side of the ledger, awareness and commitment are growing.

 

The Integris Software’s 2019 Data Privacy Maturity Study reports 40 percent of company execs are “Very Confident” or “Extremely Confident” in knowing exactly where sensitive data resides, The study also found company execs said data privacy is gaining mindshare – both as an imperative and with added budget, according to Integris CEO Kristina Bergman. 

 

“Privacy is increasingly being operationalized by the data management team within the CTO organization,” Bergman said. “Forward-looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.”

 

The study found more than two-thirds of companies (67%) are taking a more forward-looking approach to data privacy, focusing on ways to prove their regulatory compliance to GDPR, DSAR and other data retention and classification policies (66.28%).  They are also investing in ways to respond to data access requests from customers (such as those required by GDPR). 

 

Other encouraging stats the study found included:

 93 percent of respondents said had a process in place to identify and mitigate privacy risk

 

 90 percent have a data privacy awareness program in place

 

 81 percent believe businesses risk losing customers due to inadequate data privacy practices

 

 80 percent of the report they have “data privacy management” budgets earmarked for such issues. [That said, only 11 percent said most of the budget resides in the privacy management department, and 10 percent said it wasn’t clearly defined.]

 

79 percent of mid-sized and large companies want a federal privacy law to govern data privacy management practices,

 

55 percent think employers risk losing their own employees due to inadequate data privacy practices

 

33 percent are increasing budgets for data privacy management by 25 percent or more.

That said, the Integris also uncovered some ‘practical realities’ that signals some cautionary signs on how well companies can fully meet data privacy requirements.

 

First, data visibility is so much more difficult to nail down in 2019, according to Terman said.

 

“Today, there is just a growing lack of visibility within companies about their data,” he said.


“There are massive amounts of sensitive data floating all around the organization  – data is pouring  into and out of data lakes – on-premise and in clouds.”

Even more problematic, Terman added, is the tremendous amount of data movement. “We now have data-in-motion, data streams, data in semi-structured formats – and on top of that all that data is being replicated, sometimes across dozens or hundreds of places. Data is everywhere – and it’s always being updated.”

 

Data movement can mean how data moves and combined with other data. But it also means including how much and when data leaves one enterprise and enters another, Terman said, such as with data sharing agreements with partners and third-parties.

 

“Data sharing agreements are a blind spot for many companies,” Terman said.  “Parties should be monitoring the pipe the data is moving through – both ingress and egress- with their partners,” he said.  A factoid to illustrate this: Nearly one-half of respondents (43 percent) said they were more confident in their ability to be compliant compared to how confident they are in their partners’ ability to comply.

 

“So, with data sharing agreements, there are disconnects a lot of times. The lawyers writing these agreements are not the engineers who ship the data – or IT doesn’t always know the specific controls they need in place,” he added. 

 

Another ‘blind spot’ can arise from how data moves to help create cool CX (customer experience) apps. Features such as chatbots or recommended suggestions could hold data elements that should be subject to data privacy management and internal use rules, Terman added.   

 

The study highlighted results that signal to achieve this data visibility can be a problem:

Nearly 45 percent need to access 50 or more data sources to get a picture of where sensitive data resides.

 

45 percent take an inventory of personal data more than once a year - or only in reaction to an audit.

 

40 percent of respondents had 50 or more data sharing agreements (e.g., Cambridge Analytica) in place, [That said, 43% of respondents said they were “generally pessimistic’ about the ability of their partner to comply with data sharing rules.]

 

Only 17 percent of respondents are able to incorporate all five common data types into their privacy management program: structured data, unstructured data, semi-structured data, cloud-based applications, and data-in-motion.

How Data Variety and Velocity Can Make Data Privacy Management Challenging

A combination of data variety and data velocity can often compound the difficulty of achieving effective data privacy management, Bergman added. 

 

“If you’re not taking a real-time inventory of personal data across all data source types, then you’re going to have huge blind spots when it comes to knowing what sensitive data is sitting in your organization,” she said.  “Point-in-time knowledge is obsolete within a day due to the constantly changing nature of data in a hyper-connected world.”

 

A second issue, Terman added, is how a company combines or correlates diverse data.

 

“It’s been stated that you can identify 87% of individuals in the U.S. population with only three (3) different types of data – gender, zip code, and birth date,” Terman said. “So, companies need to know the different types of data in their systems, and when that data may be combined – such as in a data lake.  When you combine data, you can then have data combined that can identify individuals.”

 

 A third issue is the lack of automation, Terman added.

 

The study found, under two-thirds (61 percent) relied on custom-written computer code for some data management tasks. That said, more than three-quarters (77 percent) said they use “manually updated spreadsheets” and even studies to track and inventory personal information, he said.

 

How Data Privacy Impacts Business Initiatives – Not Just IT or Governance

As to impact, the Integris study also found that IT and governance teams aren’t the only ones affected by data privacy concerns. Business initiatives are also being impacted.  Included are assessing risk from M&A and even working on AI/ML projects.

 

The following data from the study breaks down how a lack of a data privacy management can impact IT and business stakeholders.

Integris’ Recipe To Ensure an Effective Data Privacy Management 

Terman suggests a simple recipe for effective data privacy management. 

 

“It’s the ability to understand how your company identifies and handles [PII] data end-to-end,  and then using that understanding to support your entire enterprise-wide control framework for data,” he said.

 

To do that, Terman’s encouraging news is, “It can boil down to doing two things really well,” he said.  

 

            1.    First, understanding where data resides and


            2.    Second, effectively map all that data back to obligations for data handling, privacy requirements (such as GDPR, CCPA, and other regulations) 

 

Even with this recipe, Terman adds that companies should consider implementing smarter technologies that are automated, real-time and coordinated across ingress and egress points.

 

“Integris helps operationalize and automate your data privacy management program,” Terman said.  “We won’t say you need this kind of encryption on this data. But we give you an easy way to make rules and enter those into a system, and look at your sensitive data against your obligation, and automate action to resolve those issues,” he said.

 

As an example, Integris will also look directly at the data source, down to the element level. “We don’t just take what the columns or labels say,” Terman said.  It uses machine language and contextual awareness to look at the data and see if the data is as identified correctly. “We also generate our own metadata, based on what we see in the actual data – down to the data element level.”

 

Integris Software’s 2019 Data Privacy Maturity Study gathered detailed responses from 258 mid to senior executives from IT, general management, and risk and compliance departments at US companies with at least 500 employees (62 percent had 5,000 or more employees) to assess how they manage private data.

 

The full 2019 Data Privacy Maturity Study is now available from Integris Software.




back