Businesses have far more personal data than they think they have, and information expands by the hour. This is a key finding from an April 2019 Data Privacy Maturity Study from Integris Software – www.integris.io. Data flows change daily, and yet many businesses rely on spreadsheets and annual surveys to learn what data they house, resulting in inaccurate information that risks reputation and non-compliance. Kristina Bergman, Integris’ founder and CEO, offers important insights in this podcast about how business can deal more effectively with avalanches of data and blizzards of national and state data privacy regulation through an automated approach to the inventory of data.
The Integris study garnered responses from over 250 mid-to-large businesses, all with revenues over $25 million, a third with revenues over $10 billion and most with more than 5,000 employees. In businesses of this size, certain categories of held data are obvious – HR, financial, customer details. But derivative data flows include vast amounts of personal credit card, medical, experiential (movies watched in hotel rooms) and other information about employees and business chain personnel. A real-time inventory of data through automation is inherently more accurate to know what data a business holds.
The Integris study’s first key finding is that there is overconfidence among data privacy managers. Many reported great confidence in their management of sensitive data despite taking a data inventory once a year. Less than 20% of those surveyed reported the ability to access sensitive data across five common data source types.
Second, “Data privacy impacts much more than regulatory compliance.” While GDPR’s threat of fines up to 4% of global revenue grabbed the attention of business, the need for good data management goes far beyond compliance. A minority but significant percentage of survey respondents reported favorable impact of enhanced data privacy management on subjects such as M&A due diligence, data lake hygiene and business reputation.
Third, data sharing agreements have proliferated, with 40% of respondents reporting having 50 or more data sharing agreements with other businesses. A signed agreement is not self-policing. A majority of respondents were not confident that the other signing business is complying with data sharing agreements, though they were rather confident that their own business is respecting what the business signed.
The fourth key finding is that 50% of data privacy management budgets are housed in IT departments, with IT professionals tasked to take a company-wide approach to overall data protection beyond the technical aspects of handling data flows. Ms. Bergman finds this a positive development – indicating businesses are increasingly aware of turning to automation and information technology solutions to achieve effective management and protection of personal data that a company gathers, including how to deal with types of data not needed by the business, types of personal data that represent a risk without positive benefit.
Is it time for governments and business to classify types of data in a manner that will be common globally and helpful in achieving a proper balance among the interests of convenience, commerce and personal privacy? Ms. Bergman is doubtful global agreement on personal privacy standards is likely soon. Cultural differences are great. In the continuing shadow of World War II, Europe’s definition of sensitive personal data will be quite different from the relatively free spirit prevalent in the United States. A different balance between individual and governmental rights will be struck in societies as different as China and the USA.
Click here to access the Integris Software 2019 Data Privacy Maturity Study:
www.integris.io – https://integris.io/wp-content/uploads/2019/04/Integris-Software-2019-Data-Privacy-Maturity-Study.pdf
For more information, please contact Joe Dehner or any attorney in Frost Brown Todd’s Privacy and Data Security Law Practice Group.
To share your thoughts or questions about this or other Data Privacy Detective podcast episodes, send a message to info@thedataprivacydetective.com. And remember – protecting your personal information begins with you.