Insights on privacy practices and data governance

Privacy is evolving, and organizations that don’t keep up risk being left behind – and paying a high price for it. Explore our report for deep insights into the changing face of privacy programs and the attitudes that are shaping this evolution.
Written by
Adam Roberts
Reviewed By
Amanda Laviana

Explore the report

Introduction
‍‍‍Key findings
‍‍In-depth analysis
Investing in privacy
How RecordPoint can help

The big picture

In today's rapidly evolving landscape, with data breaches growing in frequency and more regulatory complexity than ever, organizations need to ensure their data practices are compliant while safeguarding vast amounts of both structured and unstructured data.

For this report, we surveyed privacy professionals across various industries to uncover trends and insights on how companies manage their data privacy programs.  

The findings offer valuable perspectives for leaders who want to enhance their data governance strategies. Our goal was to identify how privacy professionals feel their organizations are positioned from a privacy maturity standpoint.

Key findings

Industry participation: The survey saw responses from privacy professionals primarily in the Financial Services and Energy & Utilities sectors, two industries known for handling sensitive and highly regulated data.
Organization size: Most respondents work in medium-to-large organizations, with 60% of companies having between 101 to 1000 employees, and 20% reporting more than 5000 employees. Larger organizations face unique challenges in implementing privacy programs at scale, highlighting the need for robust governance frameworks.
Data volume: 60% of respondents reported managing 1-100 petabytes (PB) of data, while 40% estimate handling 10-100 terabytes (TB). These are substantial volumes of data, which reinforce the need for effective data visibility and classification practices across privacy programs.
Privacy control coverage: It’s encouraging that 80% of respondents are applying privacy controls to both structured and unstructured data but the other 20% indicated uncertainty, suggesting a gap in visibility or understanding of their data environment.
Privacy program scope: Despite privacy regulations pushing companies to be more transparent and accountable, 60% of organizations report that their privacy program covers only a third of their data. Another 20% have reached half coverage, and 20% are nearing 70%. There’s plenty of room for growth as companies look to extend their privacy initiatives to the entire data landscape.
Breach involvement: Alarmingly, 60% of respondents reported experiencing a data breach in the last 12 months, which gives us a stark reminder of the continuous threat facing enterprises. These breaches highlight the importance of proactive privacy and security measures.

In-depth analysis

Industry focus: financial services and energy utilities lead the charge

Unsurprisingly, in industries like Financial Services and Energy & Utilities, where compliance with strict regulations such as GDPR, CCPA, and SOX is mandatory, privacy programs tend to be more advanced.

Financial services organizations handle sensitive personal information and financial data, making them a top target for breaches and privacy violations, meaning the need for robust data governance frameworks — and strong privacy controls — is paramount in this sector. The presence of energy companies in this survey reinforces the reality that privacy concerns are now extending beyond traditional tech and finance sectors into other industries with vast amounts of operational data.

Organization size and the complexity of data management

A significant portion of respondents come from organizations with 101–1000 employees, a tricky size, where privacy programs typically start to mature but may still face challenges related to resources and scaling privacy efforts.

Larger enterprises (5001+ employees) may be well-resourced, but they face new challenges related to scale. They process immense amounts of data, often across multiple regions, and may find it harder to control it. As a result, it can be difficult for them to implement uniform privacy controls, which explains the varied levels of coverage reported in the survey.

Data volume: a burden or an opportunity?

The amount of data an organization possesses plays a major role in its privacy approach. The results here show most companies are holding onto a significant volume of data. Most respondents estimate their organizations are managing 1–100 petabytes, but 10–100 terabytes was also a common response.

The sheer volume of this data creates challenges with management, requiring organizations to adopt innovative solutions in data mapping, automated privacy compliance, and ongoing governance efforts.  

According to the 2024 Cost of a Data Breach report, 40% of data breaches involved data stored across multiple environments, and when breached data was stored in public clouds, it incurred the highest average breach cost at US $5.17 million. When organizations had centralized control over their data, it took 23.3% less time to identify and contain a breach (an average of 224 days vs 283 days).

Organizations managing high volumes of data like this need to ensure they focus on data minimization and removing data as soon as defensively possible. Redundant, obsolete, and trivial data (ROT) removal should also be a priority.

While such significant data volumes might feel unavoidable, they are certainly not inevitable, organizations need to confirm they only retain what they need and remove the rest.

Privacy control coverage: a cause for caution

While 80% of companies are applying privacy controls to structured and unstructured data, the remaining 20% who do not use privacy controls or who are unsure reveal a potential risk area. Without full visibility into their data environments, organizations may not realize the full extent of their compliance gaps. This uncertainty leaves companies vulnerable to breaches or regulatory penalties.

Privacy program scope: the road ahead

The most revealing statistic is the extent (or lack thereof) of privacy coverage within organizations. Despite the heavy emphasis on privacy regulations, and the risk associated with data breaches and ransomware attacks, many companies have only begun to scratch the surface when it comes to data governance.  

60% of respondents say they’re covering just 30% of their data with privacy measures, an extremely concerning result. The data suggests a clear opportunity for companies to expand their privacy programs to meet regulatory requirements and mitigate risk.

Jumping back to the Cost of a Data Breach report, for organizations that had shadow data residing in unmanaged data sources, a breach cost 16.2% more, or an average of US $5.27 million.

Data breaches: a sobering reality

The survey’s most concerning finding is that 60% of organizations have experienced a breach in the last year.

This statistic serves as a stark reminder that no company is immune to the growing threat of cyberattacks and data leaks. Privacy professionals must continue to evolve their strategies, leveraging technologies like AI and automation to stay ahead of increasingly sophisticated threats.

Recommendations for privacy professionals

Extend privacy coverage: A privacy program that only covers 30% of your data is not good enough. Organizations need to increase the scope of their privacy programs. Enabling better data visibility across both structured and unstructured environments is critical for compliance and breach prevention.
Prioritize unstructured data: As 80% of organizations focus on structured and unstructured data, it’s clear that unstructured data — emails, documents, and collaboration tools — can no longer be overlooked. Implement tools that allow for deeper governance of these datasets.
Improve breach response plans: With 60% of respondents having experienced a data breach, a comprehensive breach response plan is no longer a nice to have. These plans must include regular breach simulations, compliance with incident reporting regulations, and continual improvement of security measures. This is something organizations of all sizes must focus on.
Leverage automation and AI: You cannot manage alone. Given the growing volume of data, companies need to rely on AI-driven solutions to automate data classification, privacy program management, and breach detection. These technologies provide a scalable way to manage complex data environments.

It’s time to invest in privacy

While the survey results underscore several challenges in data governance, they also reveal opportunities for improvement. Privacy professionals, particularly in highly regulated industries, must embrace the complexities of their data environments and work toward more comprehensive privacy coverage.  

As data breaches continue to occur, organizations need to balance proactive privacy measures with the integration of technology that can handle the vast amounts of data they process daily.

This report serves as a call to action for privacy leaders to build stronger, more resilient privacy programs that can adapt to the evolving data governance landscape.

How RecordPoint can help

If any of the results or challenges highlighted in this report feel familiar, we can help you to move forward with a solution. RecordPoint can help you to ensure you discover, understand and act on your data.

Discover your data

RecordPoint’s connectors allow you to connect to any essential system, both standardized systems with common configurations like Microsoft 365 applications like SharePoint, OneDrive, and Outlook, and unique configurations of systems like Salesforce or Workday, which are often customized for organizations’ needs.

Our file analysis feature allows you to maintain visibility of data stored in on-premises systems, allowing for visibility of all your data, whether stored in SaaS platforms or on-premises storage.

Understand your data so you can take action

Once you have visibility over your data, RecordPoint can help you take the next step: understand it, so you make better decisions around privacy, classification, retention, and disposal.

The platform’s Intelligence Signaling feature scans all incoming data and records for Personally Identifiable Information (PII) — sensitive critical PII like social security numbers, tax file numbers, driver’s license numbers, and passport details, as well as less sensitive PII like name, email, phone — as well as Payment Card Industry (PCI) data.

Once you have all this intelligence, you need to ensure your data is classified for privacy and risk. These privacy signals help inform your data classification through either rules-based classification or with RecordPoint’s Classification Intelligence feature, which allows you to train a machine learning model to auto-categorize based on content and context. The models themselves can be built through a simple interface and include key features like prediction probability scores.

Once you know which data is sensitive, you can take appropriate action: manage access, ensure it’s stored securely, and remove it when you can.

The RecordPoint platform allows you to identify and remove the ROT, further reducing risk, lowering storage and other costs, and increasing employee efficiency. Automatically identifying ROT and removing it makes managing what matters much easier.

Deep reporting allows you to understand your data—and your risk—at a glance

Business intelligence (BI) reporting allows organizations to identify and reduce risk, predict market shifts, and spot data anomalies. By layering data governance metrics into your reporting, you can make better decisions to limit risk.

The RecordPoint platform’s deep reporting capabilities allow you to explore data in your BI platform of choice, including Power BI and Tableau. So, you can make decisions based on data, not your gut. Data governance metrics allow you to understand where your data is held, view trends like unsafe data-sharing practices, and surface data to comply with Data Subject Access Requests (DSAR), or requests for data to be deleted.

Discover a better platform

Understanding your data is a challenge no matter what industry you’re in.

If you’d like to investigate how RecordPoint can help, explore the platform now, or book a demo for a full walk-through.