Privacy platform Transcend has released new research into corporate stewardship of the personal data they process and store. Based on a survey of technical leaders across different industries, the findings from the firm’s 2022 State of Data Visibility Report paint a stark picture of how companies are performing when it comes to knowing how and why they use customer, user, and employee data, and where it is stored.
The research found that:
- Two-thirds of survey respondents say their company still doesn’t have an accurate picture of the personal data they hold; the result of system sprawl, reliance on manual processes, and insufficient resources. This is against a backdrop of increased privacy regulations and technical requirements from industry leaders like Apple.
- Compounding this visibility challenge, 57 percent of those surveyed say new systems containing user data are added weekly, in some cases daily, within their companies, but only 22 percent have implemented automated data discovery and inventory approaches, exposing compliance and data security gaps.
- Over 50 percent of companies will need more than a year, multiple internal teams, and an external vendor to discover all data systems and create a unified data map.
“These results paint a troubling picture of corporate readiness for the increased stress privacy programs will face—if it’s not being felt already—in complying with new laws, new requirements, and heightened consumer expectations of agency over their personal data, made worse by a baseline lack of real-time visibility into the data they hold,” said Brandon Wiebe, Transcend general counsel and head of privacy, in a news release.
“Many of today’s manual data inventory exercises fall short because the act of documenting the data is abstracted from where the data actually lives. Companies are far too reliant on individual system owners to surface up processing information, or make best guess inferences.” said Wiebe.
“As long as there’s daylight between the privacy organizations that are charged with complying with regulations, and the data plane where personal information is actually processed, privacy compliance, data security, and honoring data rights will always be unscalable.”
The research also found that when asked what was blocking their data inventory projects, 62 percent of respondents cited lack of support from leadership, while 31 percent cited insufficient budget.
A complete data inventory is foundational to fulfilling many privacy law requirements: completing data subject requests (DSR) for data access, rectification, and deletion, identifying risky data processing activities, and creating and maintaining records of processing activities (ROPA)—a requirement of GDPR Article 30. In spite of this, the firm’s research found that 68 percent of companies still rely on manual lists or ad hoc cross-functional communication to identify which systems should be included in their data subject request (DSR) workflows.