How does your privacy program stack up?

Privacy professionals are responsible for ensuring the safety and security of an organization’s data. They need to understand the data their organization holds, so they can ensure it is being managed correctly in line with regulations.

But are they actually doing it? How do privacy professionals rate themselves when it comes to their performance?

At the recent IAPP Privacy. Security. Risk. 2024 event, we decided to find out.

Our goal was to identify how privacy professionals feel their organizations are positioned from a privacy maturity standpoint. At the event – which hosted companies that range from under 100 to more than 5000 employees – we asked around 200 privacy pros about how much data they have, how well they understand it, and how they’re managing their data.

Here’s what we found:  

Q. How much data does your organization have?

We got two interesting data points from this question.  

• The amount of data organizations hold is becoming massive. Most organizations knew how much data they had, and 44% of respondents said their organization had either 1-100 petabytes or more than 100 petabytes of data.

• But enterprise-scale companies have problems with data discovery — 24% of respondents with 5000+ employees do not know how much data their organization holds.

To be clear, this question asked for answers with a low level of specificity – an order of magnitude was all we were after. If you can’t estimate the amount of data your organization holds, how can you hope to manage and protect it? It is extremely concerning that so many people were in the dark on how much their company held.

Q. How much of your data does your current privacy program cover?

The next obvious issue is, do our privacy pros know how much of their data contains Personally Identifiable Information (PII) and other sensitive information? Armed with this knowledge, they can better manage access, retention, and security settings applied in line with relevant privacy regulations.

Here again we see some worrying signs, with 37% of respondents saying 50% or less of their data is covered under their organization's privacy program. That means they do not know how much sensitive data they have, and therefore cannot guarantee that it is being managed appropriately, safely, and securely. That is a big source of risk. In the event of an audit or a cybersecurity incident, such an organization will be in a much worse position.

Q. Has your organization been the subject of a data breach in the last year?

For this question, we allowed respondents to choose between three options: yes, no, and don’t know.

Of these, the answer we were really watching out for was “don’t know”. There are two reasons someone might state they did not know whether or not they had a data breach, all concerning in their own way:

• They were uninformed about cybersecurity issues in their organization.

Or

• Their organization lacked the ability to track cyberattacks.

Given the attendees and their roles in their organization, the idea they were out of the loop and so would not know of a data breach was extremely concerning. The idea that their entire organization was “out of the loop” on cybersecurity issues was worse.

(There exists a third possibility, that the respondents did not believe our promises of anonymity and chose not to answer honestly, but let’s put this one aside for this article.)

Given this context, we were prepared to treat a “don’t know” as a “yes”. And indeed, 39% of respondents said they either had had a data breach, or they did not know either way, an extremely concerning result.

Assessing the results

While we await further data and the full report, what are we to make of these initial results? One dominant theme is that of ignorance. While the survey was conducted anonymously, it is not a stretch to imagine privacy managers who do not know how much data they have, how much of that data contains PII, and whether or not it has been accessed in a breach. But ignorance in any one of these areas leads to risk, and removing ambiguity should be a priority for any privacy professional. It would be unrealistic to imagine perfect, 100% coverage of your data, but you should at least be able to understand how much you have and have identified the sensitive information.

Meanwhile, we are out and about at events, talking to organizations about their data challenges. As we collect more data, stay tuned for the full survey results.

Driving privacy maturity in your organization

As this survey has shown, data and security leaders, especially those at large organizations, struggle with knowing where their sensitive information lives. With a single platform to find and classify all your data, the RecordPoint platform can help improve data discoverability, reduce the cost of data storage and management, and drive data-driven decision-making.

The platform’s unified architecture allows for connection to a wide range of data sources, including file shares, cloud platforms, and business applications. This flexibility ensures that regardless of where the data originates or its format, the platform can efficiently manage, classify, and govern it throughout its lifecycle.

By consolidating data inventory, data categorization, data minimization, and records management into a unified platform, you can empower your organization to maximize data value and reduce risk at the same time, increasing staff productivity and future-proofing the business for tomorrow.

If your organization struggles with data discovery and understanding, RecordPoint can help. Take a tour and see for yourself.