Integris Data Privacy Maturity Study EMBARGOED April 1 › wp-content › uploads › 2019 › 04...

Integris Software 2019 Data PrivacyMaturity Study

Government mandates, data sharing agreements and spreadsheets sow confusion amid an avalanche of private data

1525 4th Avenue | 5th floor Seattle, WA 98101-1607 | +1 (206) 539-2145 | [email protected] integris.io

Integris Software 2019 Data Privacy Maturity Study | Copyright 2019 Integris Software, Inc.

Table of Contents

2

Executive Summary

Study Background and Methodology

Demographics

Firmographics

Data Privacy Management Budgets

Projects Impacted by Data Privacy Concerns

Data Sharing Agreements

Technical Data Privacy Maturity

Organizational Data Privacy Maturity

Regulatory Preparedness

Opinions on Federal Privacy Law, and Trust

About Integris Software

3

4

5

9

13

19

22

25

34

42

44

47


Executive Summary

Companies are being inundated with data. A single bank transaction may get replicated across a hundred data repositories. Companies are constantly purchasing data from third parties to build better customer profiles. In addition, as companies consolidate through mergers and acquisitions, they acquire completely unknown datasets and data transfer agreements between business partners. In this environment, it’s no wonder that respondents’ data privacy programs scored much lower on technical maturity than on organizational maturity.

Key Findings:

Data privacy management overconfidence: 40% were Very or Extremely Confident in knowing exactly where sensitive data resides despite only taking inventory once a year or less; and a mere 17% of respondents are able to access sensitive data across five common data source types.

Data privacy impacts much more than regulatory compliance: Enforcing internal data handling policies like classification and retention was cited 69% of the time. Proving compliance with business obligations like data sharing agreements was cited by 63% of respondents. About one third of respondents cited the impact on M&A due diligence (34%) and data lake hygiene (32%). About a quarter of respondents (24%) viewed data privacy as impacting the delivery of AI / ML projects.

The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. 40% of respondents had 50 or more of these data sharing agreements in place. However, respondents reported being 43% more confident in their ability to be compliant compared to how they perceived their partners.

Data privacy management budgets reside in IT departments: About 50% of data privacy budgets are concentrated in IT departments. Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

3


Study Background and MethodologyThis study seeks to understand how mid to large-sized US enterprises manage data privacy within their organizations, as well as their future plans. In February 2019 a web survey was emailed to members of an exclusive community of top business executives and IT decision makers. 258 respondents completed the survey, each of whom had to meet the following minimum criteria:

• Reside in the USA

• At least “Somewhat Knowledgeable” on how data privacy and data security are managed at their current company

• Mid to senior level professionals and executives

• 500 employees or more (62.4% had over 5,000 employees)• $25 million or more in annual revenue (69.38% had over $1

billion in annual revenue)• Functional roles/areas had to be in IT, general management,

or risk and compliance

Note: unless otherwise noted, N = 258

24.42%Extremely KnowledgeableIt’s part of my primary role

36.82%Somewhat Knowledgeable

38.76%Very KnowledgeableIt’s part of my role

What is your personal level of knowledge on how data privacy

and data security are managed at your current company?

4


9.69%VP, SVP, EVP

23.26%Director, Sr. Director

28.29%Manager, Sr. Manager

Which one of these is the best fit to your current seniority level?

28.68%Senior Professional

DemographicsRespondents had to be, at a minimum, mid-level professionals.

10.08%C-Level Executives

5


DemographicsRespondents came from three key areas of the business:

1. Information Technology/Engineering (66.57%),

2. General Management/Strategy (18.41%) and3. Legal/Compliance/Risk Management (15.01%).

18.41%General Management / Strategy

66.57%Information Technology / Engineering

15.01%Legal / Compliance / Risk Management

Which one of the following is the best fit to your functional area /

department at your current company?

6


DemographicsRespondents saw themselves as taking on a range of roles with most having multiple roles as part of their mandate.

Over a third of respondents claimed privacy management fell into their primary role.

1.94%

28.29%

34.11%

28.29%

46.90%

48.84%

43.41%

36.05%

10.47%

38.37%

46.90%

Other

Digital Transformation

Privacy Management

InfoSec

Data Infrastructure

IT Operations

Software Development

Business Management

Legal

Risk and Compliance

Data Governance

0% 10% 20% 30% 40% 50% 60%

Which of the following falls into your primary role?Please select all that apply.

7


DemographicsWithin their primary roles, most respondents had either primary/final decision making authority, or were on the decision making committee/had significant influence.

10.10%

25.93%

6.45%

7.14%

7.14%

9.09%

6.85%

9.09%

8.22%

8.26%

67.68%

55.56%

80.65%

73.21%

70.63%

68.60%

60.27%

71.59%

73.97%

72.73%

22.22%

18.52%

12.90%

19.64%

22.22%

22.31%

32.88%

19.32%

17.81%

19.01%

Risk and compliance

Legal

Business management

Software development

IT operations

Data infrastructure

InfoSec

Privacy management

Digital transformation

Data governance

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

I have little or no influence

I’m on the decision-making committee or have significant influence

You’ve mentioned that the following are a part of your primary role. Please indicate your personal decision making involvement for each within your current company:

I am the primary / final decision maker

8


Multiple departments impact decisions related to data privacy. Data privacy management is clearly a multidisciplinary endeavor.

1.55%

0.39%

28.29%

50.00%

43.35%

49.22%

58.91%

31.78%

31.01%

56.98%

60.47%

46.90%

Other

None of the above


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 10% 20% 30% 40% 50% 60% 70%

Which of the following roles / departments have an impact on decisions related to data privacy within your current company?

Firmographics

9


Firmographics

13.95%

16.67%

36.43%

32.95%

$25 to $250 Million

$250 Million to $1 Billion

$1 to $10 Billion

Over $10 Billion

0% 5% 10% 15% 20% 25% 30% 35% 40%

What was your company’s revenue in 2018?

1 0

Large enterprises were well represented with 69.38% of firms having over $1 billion in annual revenues.


10.46%

Work at organizations with between 500 – 1,000 employees

62.40%

Work at enterprises with 5,000 or more employees

27.13%

Work at companies with 1,000 to 5,000 employees

Approximately how many full-time

employees are employed by your

company at all sites and

locations? If unsure, please

provide your best estimate.

Firmographics

11

89.53% of firms had over 1,000 employees.


1.55%

6.59%

13.95%

15.89%

17.83%

20.93%

23.26%

None of the above

Government

B2B

B2C

Healthcare

Financial Services

Information Technology

0% 5% 10% 15% 20% 25%

What is your company’s primary industry?

FirmographicsHighly regulated industries were well represented:

• Financial Services (FinServ, Banking & Insurance) at 20.93%

• Healthcare (Healthcare, Pharma, or Medical Devices) at 17.83%

• Government at 6.59%

The remaining industries were:

• Information Technology at 21.32%

• Predominantly B2C industries at 17.03%(spread across automotive, consumer goods, hospitality & travel, e-commerce, food & beverage, media & entertainment, retail, utilities, and telecom/wireless)

• Predominantly B2B industries at 16.03%(spread across advertising, manufacturing, professional services, energy, mining & minerals, logistics, transportation, and distribution)

1 2


Data Privacy Management BudgetsCompanies are dedicating serious resources to data privacy management. Although 24.03% of respondents didn’t know if there was a data privacy management budget, of those that did know, 80.10% had budgets dedicated to data privacy management.

80.10%Yes19.90%

No

Does your current company have a data privacy management

budget?

1 3

N = 196


Data Privacy Management BudgetsAlmost a third of respondents (29.30%) didn’t know what their data privacy management budget was in 2018.

For those that did, budgets varied widely, from less than $100,000 to $5 million or more per year.

6.31%

32.43%

20.72%

18.02%

6.31%

16.22%

Less than $100k $100k to $500k $500k to $1M $1M to $2M $2M to $5M $5M or more0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

How much did you spend on data privacy management in 2018?Note: This includes spend on people, technology, consulting, etc.

1 4

N = 157


Data Privacy Management BudgetsAbout half (49.68%) of data privacy budgets are concentrated in IT departments (InfoSec, data infrastructure, IT operations, and software development). 18.47% of budgets are concentrated in legal, risk, and compliance departments. Only 11.46% of data privacy budgets are concentrated in the privacy management department. In 10.19% of organizations, it’s not clearly defined.

Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

1.27%

10.19%

1.27%

11.46%

17.20%

5.73%

24.20%

2.55%

0.64%

5.73%

12.74%

7.01%

Other

It is not clearly defined


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 5% 10% 15% 20% 25% 30%

In which department does the majority of data privacy budget reside?

1 5

N = 157


Data Privacy Management BudgetsFinancial Services Cohort

Financial services had the majority of their data privacy budgets in InfoSec 25% of the time vs 14.88% for non financial services companies, and also had over double the proportion of respondents citing data infrastructure (11.11%) vs only 4.15% of the time for other industries.

13.89%

11.11%

25.00%

11.11%

8.33%

5.56%

2.78%

12.74%

11.11%

Other


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 5% 10% 15% 20% 25% 30%


1 6

N = 36


Data Privacy Management BudgetsNon Financial Services Cohort

Non-financial services had their data privacy budgets in IT operations 28.93% of the time.

1.65%

1.65%

11.57%

14.88%

4.13%

28.93%

1.65%

7.44%

13.22%

5.79%

Other


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 5% 10% 15% 20% 25% 30% 35%


1 7

N = 121


Data Privacy Management Budgets

0.78%

1.56%

4.69%

5.47%

54.69%

21.09%

7.81%

13.22%

1.56%

50% to 75% decrease

25% to 50% decrease

1% to 25% decrease

0% (no change)

1% to 25% increase

25% to 50% increase

50% to 75% increase

75% to 100% increase

Over 100%

0% 10% 20% 30% 40% 50% 60%

What approximate spend changes do you foresee in 2019?

Unsurprisingly, most organizations (87.49%) are increasing their data privacy management budgets in 2019. Almost one third (32.8%) of respondents are increasing their data privacy management budgets by 25% or more.

1 8

N = 157


2.22%

4.44%

23.89%

32.22%

33.33%

52.22%

52.22%

56.67%

60.56%

67.78%

69.44%

Other (please specify)

None of the above

Accelerating AI / ML projects

Scanning & tagging data flowing in and out of data lakes

Assessing risk in M&A transactions

Responding rapidly to breaches

Responding to data subject access requests

Staying in compliance when migrating apps to the cloud

Proving compliance with business obligations like data sharing

agreements

Proving regulatory compliance

Enforcing data retention and classification policies

0% 10% 20% 30% 40% 50% 60% 70% 80%

Which, if any, of your current company's projects are currently impacted

by privacy concerns? Please select all that apply.

Projects impacted by Data PrivacyThe current regulatory environment is driving urgency around

projects to prove regulatory compliance (67.44%), which

includes responding to what GDPR calls data subject access

requests or DSAR (51.55%), enforcing data retention and

classification policies (66.28%), and responding rapidly to

breaches (54.26%).

But data privacy impacts much more than regulatory

compliance efforts. When done right, data privacy

management supports the broader enterprise control

framework— regulations, policies, and contracts. For example,

proving compliance with business obligations like data sharing

agreements was cited by 62.79% of respondents.

1 9


Projects impacted by Data PrivacyData lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information. So, it’s no surprise that almost a third of respondents (32.95%) cited the impact of privacy for projects that scan and tag data flowing in and out of data lakes.

As data is acquired through the M&A process, data lakes and other datasets can become contaminated with unexpected, inappropriate, or problematic data. Increasingly (34.11%), M&A due diligence includes the inspection of the data being acquired. This allows organizations to properly evaluate the risk prior to merging large datasets.

Finally, when data is locked down for fear of misuse, data scientists don’t get timely access to the streams and feeds they rely on for their machine learning models.

So, it’s no surprise that AI / ML projects were cited by almost one in four respondents (24.03%).

2 0


Data Privacy Now Integral to Data Protection

2 1

Privacy

What data is important and why

Security

How those policies get enforced

Data Protection

ProtectedUsableData

Discovery & Classification DSARs Alerting

Contracts PoliciesRegulations

Encryption NetworkSecurity Access Control

ActivityMonitoring Breach Response DLP/CASB

Forward looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.


40.33%

30.94%

23.76%

4.97%

50 or more 10 to less than 50 Less than 10 None0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

How many data sharing agreements does your current company have where data is either entering or leaving your organization?

Data SharingAgreementsAs noted previously, privacy issues on data sharing agreements, like the one that existed between Cambridge Analytica and Facebook, was a concern for 62.79% of respondents.

40.33% of respondents had 50 or more data sharing agreements in place.

Healthcare Industry Cohort

An analysis of the healthcare industry cohort (N = 46) revealed that 50% of healthcare firms had 50 or more data sharing agreements. That’s a variance of 28.93% more than the non-healthcare cohort (38.78%). This is probably due to the highly intertwined nature of the healthcare industry (EHRs, insurance, etc.).

2 2


Data SharingAgreementsRespondents were much more confident in their own ability to respect data sharing agreements than their partners’ ability to reciprocate in kind (there was a 43.08% increase in Very confident and Extremely confident levels in their own compliance efforts vs their partners).

Lack of confidence had an even higher variance with 84.08% more respondents being Not at all confident or Not so confident in their partners abiding by the terms of data sharing agreements vs their own compliance levels.

21.58%

43.98%

28.22%

5.81%

0.41%

Extremely confident Very Confident Somewhat confident Not so confident Not at all confident0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

How confident are you that your current company is using data in compliancewith the terms of your data sharing agreements?

2 3


Data SharingAgreementsThere’s often a disconnect between what has been agreed to on paper by lawyers and what’s happening with the actual data, because the people who negotiate the contract differ from those shipping the data and/or there are no controls in place.

Also, the way contracts are written is not necessarily the way data is represented. The word "location" might appear in a contract, but the data set contains latitude and longitude values. Therefore, businesses must account for how data elements might be combined to fit the legal terms on their data sharing agreements.

14.10%

31.72%

42.73%

11.01%

0.44%

Extremely confident Very Confident Somewhat confident Not so confident Not at all confident0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

How confident are you that your partners are using the data that you provideto them in compliance with your data sharing agreements?

2 4


0.78%

1.16%

4.26%

24.03%

37.98%

22.89%

I don't know

Not at all confident

Not so confident

Somewhat confident

Very confident

Extremely confident

0% 5% 10% 15% 20% 25% 30% 35% 40%

How confident are you in your current company’s ability toaccurately define what constitutes personal information?

Data Privacy ManagementTechnical MaturitySurprisingly, few surveyed (5.42%) expressed a lack of confidence in their company’s ability to define what is personal information. 37.98% said they were very confident and 31.78% said they were extremely confident.

Are respondents falling victim to overconfidence? We think so. Sensitive data has an evolving nature. What's considered a sensitive category or piece of data today may not be considered sensitive tomorrow, and vice versa.

Understanding derivative personal data is important, yet challenging. For example, food choices on a flight can infer religion.

Data flowing in and out of data lakes is also a blind spot for many respondents. Data lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information.

2 5


87% of the US population can be identified using only their Zip Code, Gender, and Birthdate. *

*Source: https://dataprivacylab.org/projects/identifiability/paper1.pdf

2 6

https://dataprivacylab.org/projects/identifiability/paper1.pdf


13.43%

10.45%

20.90%

32.34%

22.89%

200 or more

100 to less than 200

50 to less than 100

10 to less than 50

1 to less than 10

0% 5% 10% 15% 20% 25% 30% 35%

How many company data sources does your current company need toaccess to get a defensible picture of where all sensitive data resides?

Data Privacy ManagementTechnical MaturityCompanies are being inundated with data. A single bank transaction may get replicated across a hundred data repositories. Companies are constantly purchasing data from third parties to build better customer profiles. In addition, as companies consolidate through mergers and acquisitions, they acquire completely unknown datasets and data transfer agreements between business partners.

In this environment it’s not surprising that almost half (44.78%) of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides.

2 7


6.20%

6.20%

10.08%

1.16%

27.13%

49.22%

Other

We don't take an inventory of personal data

If audited, or in reaction to an event like GDPR

Once every 2 years

Once a year

Real-time

0% 10% 20% 30% 40% 50% 60%

How often do you update your inventory of

personal data and where it resides?

Data Privacy ManagementTechnical MaturityYet 44.57% of respondents take inventory of

personal data less than once a year or in reaction to

an audit.

2 8


3.89%

8.40%

32.06%

43.51%

11.45%

2.29%

I don't know

Extremely confident

Very confident

Somewhat confident

Not so confident


0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

How confident are you in your current company’s understandingof exactly where personal data resides?

Cohort Analysis | NO real-time inventory

Manual, survey-based approaches don’t work in an environment of exploding, ever-changing data.

This cohort doesn’t take a real-time inventory of personal data or where it resides, yet 40.46% of them were Very Confident or Extremely Confident that they knew exactly where personal data resides.

This same group claimed that privacy concerns impacted projects typically characterized by data in-motion:

• 58.78% cited Proving compliance with business obligations like data sharing agreements

• 29.77% cited Scanning and tagging data flowing in and out of data lakes

• 19.08% cited Accelerating AI / ML projects

Data in-motion is going to be a blind spot for them on these projects, and their current levels of high confidence on knowing where personal data resides is likely unmerited.

Data Privacy ManagementTechnical Maturity

2 9

N = 131


0.79%

39.37%

41.73%

17.32%

11.45%

I don't know

Extremely confident

Very confident

Somewhat confident

Not so confident


0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

How confident are you in your current company’s understandingof exactly where personal data resides?

Cohort Analysis | Real-time inventory

Those that did take a real-time inventory were much more confident. 81.1% were Very Confident or Extremely Confident of their company’s understanding of exactly where personal data resides.

The bottom line? If you’re not taking a real-time inventory of personal data then how can you know what data is sitting in your organization? Point-in-time knowledge is obsolete within a day due to the constantly changing nature of data in a hyper-connected world.

Data Privacy ManagementTechnical Maturity

3 0

N = 127


50.66%

71.60%

53.13%

66.47%

86.86%

31.58%

21.89%

29.38%

24.55%

12.57%

2.15%

6.51%

17.50%

8.98%

0.57%

Data in motion (data flowing into a data lake, out of a Hadoopcluster, etc.)

Cloud-based Applications (Salesforce, Workday, etc.)

Semistructured data (XML and JSON)

Unstructured data (Google Drive, Email, etc.)

Structured data (Oracle, SQL, etc.)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Which, if any, of the follow data types are included in yourcurrent company’s data privacy initiatives?

Data Privacy ManagementTechnical MaturityContinuous defensibility to meet compliance requirements boils down to doing two things well:

1. Understanding where sensitive data resides across all data source types.

2. Mapping data back to existing data handling obligations.

Point one was a mixed bag among survey respondents. Traditional data sources like relational databases are included in most (85.84%) data privacy initiatives. Cloud-based applications had good coverage (70.48%), as did unstructured data (65.35%). But data in-motion appears to be the laggard at 50.25%.

Analyzed another way, an alarmingly low 16.67% of respondents were including all five data types in their company’s data privacy initiatives.

No plan in place to access Plan in place to access Accessible Today

3 1


51.90%

63.21%

81.14%

77.06%

61.14%

58.77%

61.14%

77.06%

39.05%

26.42%

16.67%

20.35%

28.91%

27.01%

28.91%

20.35%

9.05%

10.38%

2.19%

2.60%

9.95%

14.22%

9.95%

2.60%

Automated data discovery

Metadata management

Data loss prevention or other data security tools

Data governance

Data catalog

Automated survey and workflow

Homegrown scripts

All manual (e.g. surveys or spreadsheets)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

What tools/software do you use to discover and track thelocation of personal information? Please select all that apply.

Data Privacy ManagementTechnical MaturityThe vendor landscape for discovering and tracking the location of personal information is crowded, diverse, and confusing for buyers. Despite lots of tooling, only 16.67% of respondents are currently incorporating all five data types in their data privacy initiatives.

With so many DLP and other IT security vendors claiming to solve for regulations like GDPR it’s no wonder that respondents (81.14%) view these tools as helping them discover and track personal information. However, DLP is more about stopping insider threats and stopping end users from leaking out sensitive data (emailing it out).

77.06% of respondents reported using methods such as manually updated spreadsheets and surveys to track and inventory personal information while 61.14% rely on custom-written computer code.

Not in use nor plan Planning to use Currently Using

3 2


Surveys:Inaccurate and Time Consuming

3 3

Regulations Contracts Internal

• Point in time

• Doesn’t scale

• Evolving definition of PI

• Streaming data is blind spot

Challenges

Oracle, MSSQL, MySQL, DB2

Hadoop, Snowflake

Microsoft 0365, Salesforce

Kafka, Amazon Kinesis

JDBC Connectors,RESTful API’s

Unstructured File SharesGoogle Drive,

Microsoft OneDrive

StructuredDatabases

Big Data SaaS Data-in-MotionAdditional Sources

Business Obligations


Data Privacy Management Organizational MaturityOrganizational maturity for data privacy management is higher and more consistent than technical maturity.

90% of respondents had a data privacy and awareness program in place.

90.00%Yes

10.00%No

Does your current company have a data privacy training and

awareness program?

3 4


Data Privacy Management Organizational Maturity81.62% had a process in place to evaluate the sensitivity of different datasets.

81.62%Yes

18.38%No

Does your current company have a process in place to evaluate the sensitivity of different data sets?

3 5


Data Privacy Management Organizational MaturityAnd 93.36% have a process in place to identify and mitigate privacy risk.

93.36%Yes

06.64%No

Does your organization have a process in place to identify and

mitigate privacy risk??

3 6


Data Privacy Management Organizational MaturityOrganizations are also mature when it comes to handling customer consent, and communicating when things go wrong. 82.73% have policies, procedures, and mechanisms in place to track customer consent across channels.

82.73%Yes

17.27%No

Does your organization have policies, procedures, and

mechanisms in place to track customer consent across

channels?

3 7


Data Privacy Management Organizational MaturityAnd almost all of those surveyed (96%) have policies and procedures in place to respond to a data breach.

04.00%Yes

96.00%No

Does your current company have policies and procedures in place

to respond to a data breach involving personal data?

3 8


Data Privacy Management Organizational MaturityYet when technology is reintroduced to the equation, numbers begin to drop. 67.74% have an automated way to discover whose data was breached. Not surprising given the lower levels of data privacy technical maturity as reviewed in the previous section.

67.74%

32..26%No

Does your organization have an automated way to discover whose

data was breached?

3 9


Data Privacy Team Size

An impressive 94.27% of respondents had data privacy teams in place, and over a quarter of respondents (28.19%) had data privacy teams of 25 or more.

20.70%

7.49%

19.38%

22.47%

15.42%

8.81%

5.73%

50 or more

25 to less than 50

10 to less than 25

5 to less than 10

3 to less than 5

Less than 3

We don't have a data privacy team

0% 5% 10% 15% 20% 25%

How many employees are a part of your data privacy team? Note: Teamcan include full-time, part-time employees as well as consultants.

Data Privacy Management Organizational Maturity

4 0

N = 227


Data Privacy Management Organizational MaturityTeam Meeting Cadence

About a third of data privacy teams (32.65%) meet at least once a week. About a fifth (20.41%) admitted to meeting once a quarter or less. Infrequent collaboration could be a leading indicator to data privacy vulnerability, especially given that so many departments/roles have a stake in data privacy management.

8.80%

1.39%

12.04%

18.98%

25.46%

11.57%

It is not fixed

Once a year

Once every quarter

Once every 2 weeks

Once a week

More than once a week

0% 5% 10% 15% 20% 25% 30%

How often do team members meet to discuss data privacy?

4 1

N = 216


InternationalRegulatoryPreparednessOf companies that agreed that these international regulations applied to them, respondents were best prepared for GDPR with 35.85% scoring themselves as Fully Prepared. Very few respondents scored themselves as unprepared (1.42%).

Respondents were fully prepared for GDPR at more than double the rate than for the Australian (14.71%), Japanese (16.67%), and Chinese (14.04%) privacy laws. Levels of unpreparedness were also much higher here as well.

Basic Only Well Prepared Fully PreparedUnprepared

How prepared are you for each of the following regulations?

4 2

35.95%

27.78%

31.37%

19.81%

31.58%

32.41%

34.31%

42.92%

14.04%

16.67%

14.71%

35.85%

19.30%

23.15%

19.61%

1.41%

China's Cyber Security Law

Japan's Personal…

Australia's Privacy Act

General Data Protection

0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% 45.00% 50.00%


23.40%

22.38%

19.90%

27.13%

20.00%

25.87%

43.62%

55.24%

50.25%

5.85%

2.38%

3.98%

Colorado's Consumer Data

California Consumer

New York State Department

0% 10% 20% 30% 40% 50% 60%

DomesticRegulatoryPreparednessOf companies that agreed these US regulations applied to them, respondents has similar levels of preparedness for California, New York State, and Colorado laws. Very few respondents scored themselves as unprepared for any of these US laws.

Basic Only Well Prepared Fully PreparedUnprepared

How prepared are you for each of the following regulations?

4 3


Perspectives79.46% thought there should be a federal privacy law.

79.46%Yes

07.36%No Do you think there should be a

federal privacy law in the United States?

13.18%Unsure

4 4


Perspectives80.62% of respondents thought businesses risk losing customers due to inadequate data privacy practices.

80.62%Yes

13.57%No

Do you think that businesses risk losing customers due to inadequate data privacy

practices?

05.81%Unsure

4 5


PerspectivesAnd well over half (55.81%) thought that employers risk losing employees due to inadequate data privacy practices.

55.81%Yes

20.93%No

Do you think that employers risk losing employees due to inadequate data privacy

practices?

23.26%Unsure

4 6


About Integris SoftwareIntegris Software, the global leader in data privacy automation, helps enterprises discover and control the use of sensitive data in a way that protects privacy and fuels innovation. Regulations like GDPR and the California Consumer Privacy Act (CCPA) are triggering knee-jerk reactions as companies lock down their data for fear of misuse. Integris empowers security, privacy, and data governance leaders to make fact-based decisions about the use and transfer of customer data.

By working securely, at scale, no matter where data resides, Integris provides customers with an accurate and continuous pictureof their data privacy landscape. With Integris, there is finally a way to use your data without fear.

For more information on Integris, visit www.integris.io or follow @Integrisio on Twitter.

1525 4th Avenue | 5th floor Seattle, WA | 98101-1607

+1 (206) 539-2145

4 7

Integris Data Privacy Maturity Study EMBARGOED April 1 › wp-content › uploads › 2019 › 04...

Documents

Transcript of Integris Data Privacy Maturity Study EMBARGOED April 1 › wp-content › uploads › 2019 › 04...