Most organizations are ill-equipped when it comes to meeting upcoming compliance standards for data privacy, according to a new CYTRIO report focused on GDPR and California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Data Subject Access Request (DSAR) requirements.
However, the results also indicated that noncompliant companies are making progress moving up the compliance maturity curve by moving to automate processes.
A major stumbling block for nearly all organizations surveyed is the cost and complexity of data privacy management solutions.
Vijay Basani, CEO of CYTRIO, says the most concerning survey finding was that 52% of respondents who said they need to comply with the CCPA and CPRA do not provide a mechanism for consumers to exercise their data privacy rights.
"This means more than half the companies are electing to ignore data privacy and do not feel they need to respect the rights of consumers and their customers," he says.
Organizations that are still using error-prone and time-consuming manual processes for GDPR and DSAR requirements could be doing so because they are receiving a very low volume (one to five per year) of data requests.
"This could be a function of consumers not being aware of their data rights, such as right to access, right to delete or do not sell my information, and lack of active enforcement and fines for noncompliance in the U.S.," Basani says.
Bryan Cunningham, advisory council member at Theon Technology, explains that many compliance programs are run mostly by lawyers or financial professionals ill-equipped to evaluate technology and often "somewhat luddite" in their adoption of new technology.
"They are also highly risk averse and, partly because of their lack of understanding, skeptical that automated processes can ensure compliance without manual, human supervision," he says.
In addition, highly performant, trustworthy, and affordable technologies to do this type of work are not yet readily available, despite many vendors working to develop and sell solutions.
Privacy Management Solutions Complex, Costly
Most first-generation data privacy management solutions offer effective workflow automation capabilities but do not provide automated data discovery capabilities, Basani says.
Data discovery and identifying all personal information (PI) data belonging to a specific individual is the most time-consuming task.
"A typical company will save bits and pieces of PI data in many data stores, including structured databases and unstructured data stores, such as SharePoint, Office 365, Mailchimp, AWS S3, and so on, as well as SaaS applications such as Salesforce, HubSpot, and Shopify," he explains.
Developing technology to discover PI data in structured, unstructured, and software-as-a-service (SaaS) applications is not easy and requires significant investment.
"Technology tools that do this are costly to procure and take time to deploy," Basani says. "It requires various data stakeholders to collaborate during deployment and to respond to a data request."
To effectively respond to data subject requests, the solutions need to have visibility across a broad variety and significant volume of data store types and cloud environments, according to Claude Mandy, chief evangelist of data security at Symmetry Systems.
"The permissions and integrations required for responding to these requests are a challenge of complexity and scale," he says.
Adding to the cost for most solutions is the fact that many organizations have taken a traditional SaaS approach, requiring them to index this data to the solution provider's only environment, driving up storage and network costs.
Keys to Holistic Data Privacy Management
It should also provide an easy mechanism for a consumer to exercise their data privacy rights, such as right to access or delete their information.
Stakeholders include legal and compliance teams, data owners, data processors, and data users in an organization.
Refining the policy from the actual practice to desired state will require involvement from general counsel, security, privacy, and data teams.
"Most important are business stakeholders, who can describe how the personal information is used and why it is necessary," Mandy adds.
Compliance Requirements Likely to Grow in 2023
The CYTRIO report comes as a growing number of states weigh their own privacy legislation, following moves by California, Colorado, Virginia, and, most recently, Utah.
"We should expect data privacy compliance to continue to move forward in several states in 2023," Basani says.
He notes that as enforcement begins in several states, in addition to CPRA going to effect on Jan. 1, 2023, there will be enhanced consumer education about their data privacy rights.
"As CPPA turns its attention to CPRA enforcement with significantly more resources, we expect a meaningful increase in CPRA enforcement action and fines under CCPA/CPRA," he says.
Increased numbers of CCPA/CPRA fines and media coverage will result in greater consumer education about their data privacy rights, Basani adds.
"We saw this happen under GDPR in Europe, and we will see this happen with CCPA/CPRA," he says. "Employees’ rights to data privacy under CPRA should also increase the number of complaints and potential fines for noncompliance under CPRA."
As more states develop their own flavor of state privacy laws, the privacy landscape will continue to become more complex, adds Mandy Pote, managing principal of strategy, privacy, and risk at Coalfire.
"Organizations may find it difficult to keep up with new requirements – understanding applicability and determining reporting requirements," she says.
From her perspective, the best solution is to adopt a comprehensive data privacy program with the objective of implementing the most stringent set of privacy control requirements such that they follow current and future privacy laws.
"Rather than applying this program to certain systems or a certain subset of data, privacy should be blanketly implemented across the organization to ensure proper coverage," she notes.