2019 privacy analysis - ethyca€¦ · data-driven systems. we wanted to share what we’ve learned...

2019 Privacy AnalysisApproaches to Data Privacy Compliance

Ethyca 2019 Privacy Analysis 2

2019 Privacy AnalysisEvery year at Ethyca we speak to experts, customers, decision makers and competitors to learn how we can increase trust in

data-driven systems.

We wanted to share what we’ve learned with you.

Ci ll ian Kieran CEO Ethyca Inc.

For a free consultation about your privacy compliance needs, contact the Ethyca team:

email: [email protected] phone: +1 917-830-3336

mailto:survey%40ethyca.com?subject=Ethyca%202019%20Privacy%20Analysis%20Free%20Consultation%20Request

The World Has ChangedTech & Data has become a highly regulated industry.Like f inance, healthcare, transport and telecommunications.

CCPAFED

LGPD POPI

PPB

APP

APPI

PIPEDA

GDPR

4Ethyca 2019 Privacy Analysis

In a time of drastic change it is the learners who inherit the future.

The learned usually f ind themselves equipped to l ive in a world that no longer exists.”

~ Eric Hoffer

“ “


Contents .. .

2019 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Who We Spoke To ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Privacy Budget .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Regulatory Focus .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Software Budget .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Resourcing & Readiness .. . . . . . . . . . . . . . . . . . . . . . . . . 11Priorities .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Future Planning .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13DSR & DPIA Processing Timeline .. . . . . . . . . . . . 14Engineering & Data Resources .. . . . . . . . . . . . . . . 15Solution Radar .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Dimensional Criteria .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Manual Remediation .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Internal Tools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Privacy Workflow Tools .. . . . . . . . . . . . . . . . . . . . . . . . . 20Privacy Ops Tools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Privacy Infra & Dev Tools .. . . . . . . . . . . . . . . . . . . . . . . 22Insights & Conclusion .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23


2019 Privacy Analysis

Objective : Examine privacy compliance methodologies across multiple dimensions to identify the most effective approaches to scalable compliance.

In 2019, discussion about privacy and compliance is everywhere. In the news, on social media, in the boardroom and at the water cooler. Everyone seems to agree that it ’s a key challenge to enterprises of all shapes and sizes. But no one agrees on how best to tackle it.

The nature of the privacy problem for business is unique for a number of reasons, but to sum up: most decision-makers have diff iculty understanding the true costs and the true benefits of compliance-related efforts.

Compliance Stage

Timeline

Method

Budget

Stakeholders

Industry Verticals

Our objective was to understand the different ways businesses are solving for privacy compliance, and understand which ways are proving most effective. We also wanted to grasp the tradeoffs businesses face in choosing between different privacy solutions, and the particular obstacles that constrain success for a given solution. Lastly, we wanted to understand just how much attention organizations are paying to privacy. How does the amount of privacy-devoted resource vary by business size? How many businesses are content to simply manage risk and expend little to no effort on bringing their privacy infrastructure up to code? We found an interesting array of answers to each of these questions, and share them all here, along with key insights and takeaways yielded by our research.

Our hope is that this document wi ll help lend some clarity to the cost-benefit privacy compliance discussions that are taking place within businesses all over the United States, and indeed the world. It ’s the disti l led product of long hours spent gathering, standardizing, and analyzing valuable information from those on the front l ines of the issue, and the result is learnings that can be applied to the many real privacy challenges businesses face today.

In short, we hope this document helps inform your discussions in the same way that it ’s helped inform ours, and ultimately empowers your organization to practice better decision-making around data privacy compliance.

On the cost side, there’s uncertainty around everything from resource to lead-time to infrastructure overhaul. On the benefit side, it can be diff icult to understand upfront how meaningfully a given effort wi ll improve eff iciency, reporting, or actual level of compliance.

To understand the magnitude of the privacy compliance challenge, we spoke to a large group of business stakeholders - 85 to be exact - who are all trying to deal with it. They represent a cross-section of industries, company sizes, and approaches.


CISOGeneral Counsel

Privacy Team

Lead Eng.

48% 23% 43% 15%

85Industry

Sample Size

Automotive

eCommerce

Manufacturing

Marketplace

Marketing

SaaS

Platform

Ad Tech / Data Sales

06

Growth

Large

Startup25%

40%

30%

85Industry

Sample Size

85Industry

Sample Size

200 - 499 500+0 -99 100 - 199

12% 18% 43% 27%

85 Companies

Company Life Stage

Company Scale

Surveyed Stakeholders

Data sourced from 85 companies across industry verticals.

Companies represented by headcount.

Survey conducted across all major responsible stakeholders for Privacy Compliance.

Companies assessed by life stage.

Who We Spoke To

Surveying a breadth of sectors - from legacy industrial enterprises in manufacturing and automotive to agi le startups bui lding SAAS and eCommerce solutions -highlighted a rich variety of privacy priorities across different verticals.

Stakeholders were drawn from a broad cross-section of roles and responsibi l ities, for example: General Counsel, Privacy Teams and GRC Officers, Development Teams, Project Managers, and IT Security Team members. In most cases, we had a single point of contact for a given company but in some cases, we spoke to multiple stakeholders across different departments.

* Some companies provided responses from more than one stakeholder group.

We wanted to speak to companies across various stages of the growth life cycle. We grouped using standard Tech Sector classif ications, but it ’s important to note we didn’t speak only to Tech companies - many of the companies who spoke with us were from legacy Industrial, Retai l, and Manufacturing sectors.

As the scale of challenge posed by privacy compliance is strongly inf luenced by headcount, we also wanted to make sure we were speaking with companies over a large sample variance in team size.

We bui lt our respondent sample with the goal of obtaining the maximum variety of perspectives. Our group was drawn from a mixture of existing clients, discovery partners, industry connections, and respondents to personal reach-outs from our research team.


$3.6M

$490K$240K

Growth LargeStartup

Privacy Budget

Assessed average annual privacy compliance budget by organization l ife stage.

The above graphic is a visualization to give a sense of budgets that companies devote to privacy depending on life cycle stage. The numbers in the center are not averages, rather median approximations to provide a ballpark measure for each of the l ife cycle stages.In practice we found that some “Startups” spend comfortably into six f igures on privacy compliance, but many also devote exactly zero dollars to the task. Whereas in the “Large”

A different way to visualize this data is to group the companies surveyed into buckets by range of privacy budget. The takeaway here is that whi le only 8% of those surveyed spend less than $50k annually, over 50% of the companies we spoke with have an annual privacy budget greater than $100k.

category, there is considerable top-side variance to budgets; the world’s biggest companies are spending signif icantly more the 3.6 mill ion per year on privacy (One recent PWC audit estimated Fortune 500 Privacy budgets extending up to $100 mill ion annually).

$0-$50k

$50-$100k

$100-$250k

$250k-$1M

$1M+

17%

8%

22%

19%

34%

$100 - $250k

Concentration split based on total budget for Privacy.


Regulatory FocusWith impending privacy regulation roll ing out in multiple global markets, we wanted to see the markets that were capturing our respondents’ attention. Unsurprisingly, Europe and California were reported as a focus by all polled. There was l imited attention being given to some of the less-publicized privacy territories, suggesting that many respondents are thinking about compliance in a region-specif ic manner.

CCPAGDPR

PIPEDA

OTHER

LGPD

PPB

PIPA

POPI

JAA

100% 100%

10%

70%

12%

12%

0%

0%

0%


40%

20%

10%

0%

30%

Shared (Legal & IT)

Legal IT Security Unassigned

25%

0%

38%

12%

25%

Software Budget

Allocation of budget by business unit for privacy technology solutions.

Budget jointly held by IT orLegal/Compliance.

Startups had not made budgetaryallocation for privacy technology.

Across respondents, we note that a variety of decision-makers control the purse strings for privacy spending. The most common scenario is that procurement decisions wi ll be made by a group featuring a mix of legal and IT team members. However, it ’s also common to see privacy-related budget controlled solely by IT departments.

Striking in these results is the fact that a higher portion of respondents had privacy budgets “Unassigned” compared to having a dedicated security team to oversee Privacy spending. Another piece of context worth noting is that budget control inf luences the nature of privacy spending.

We observe that, due to the differing nature of their concerns, legal teams tend to be more concerned with reporting and transparency whereas IT teams emphasize frictionless integration into workflow. These priorities can lead to hugely varying points of emphasis in the privacy solutions that different companies implement.

01

02

Key Takeaways :


A large majority of respondents resources and managed privacy completely internally. This isn’t surprising, but combined with the knowledge that few of these companies have dedicated Security teams, it ’s somewhat concerning. A smaller portion outsourced at least some of their compliance operations to external providers.

Larger companies are more l ikely to have dedicated privacy practitioners. It ’s worth bearing in mind that the data thresholds for being subject to GDPR and CCPA regulations are relatively low. In our anecdotal observation, many companies with no dedicated privacy practitioner would exceed the thresholds for both pieces of legislation.

Manual remediation is sti l l the dominant mode for handling privacy operations. Though the number of companies incorporating some software assistance into their operations is growing, the achievement of fully automated privacy operations is, for now not possible, due to both technological and organizational constraints.

These are self-reported estimates from our respondents. The neat picture presented here belies the variety of responses we received when the question was posed verbally, but when forced to chose between 3, 6, and 12 months, most respondents felt comfortable selecting the 3-month window.

Resourcing & Readiness

Identifying the most common approaches to privacy operations.

Assigning responsibi l ity and readiness timelines.

How do you currently resource & manage Privacy?

“We’ve bui lt manual solutions in-house to have the minimum compliance in the case of a regulator checking”

- Growth Stage GC

Representation of companieswith dedicated privacypractitioner.

Is this manual, software systems or both?

Average timeline to readiness(i.e. internal definition ofcompliant)

Internally

Externally

Both

0% 25% 50% 75% 100%

75%

0%

Manual

Software

Both

0% 25% 50% 75% 100%

75%

0%

25% 25%

Startups

Growth

Enterprise

0% 25% 50% 75% 100%

38%

0%

84%

3 Mths

6 Mths

12 Mths

0% 25% 50% 75% 100%

60%

12%

28%


As demonstrated in previous visuals, startups in general are least l ikely to have formalized data privacy resources and processes. Given that overall low level of priority, we see that they tend to pay closest attention to the “consumer-facing” aspects of privacy compliance. Data Subject Requests in particular are afforded highest priority in the startup category.

“We care about privacy and hired a legal f irm to be bare minimum GDPR compliant however aware that we are not fully compliant”- Startup CEO

“Immediate goal is to be 80% compliant to cover the highest risk obligations” - Growth Stage GC

“We were ok to resolve most GDPR requirements manually but in parallel we’re also looking to what parts can be automated as we prepare for CCPA - I foresee the data governance being sliced up and decentralized due to the size of our organization”- Enterprise Sr. Privacy Practitioner

Businesses at the growth stage of the l ife cycle are beginning to think more holistically about scaling their data operations. In particular we began to see attention paid to Data Protection Impact Assessment (DPIA), a measure is a distinctly long-term, process-driven component of good privacy practice.

Whereas startups want to move quickly, large organizations have no choice but to move slowly and pay more attention to the deeper parts of privacy compliance. Data Minimization is a particularly challenging task for large organizations, who often have vast, disparate stores of data with l ittle way to coordinate access and permissions in a streamlined fashion.

Priorities

Prioritization of compliance obligations.

0% 25% 50% 75% 100%

75%

95%

50%

50%

0%

0%

0% 25% 50% 75% 100%

80%

80%

30%

30%

0%

30%

0% 25% 50% 75% 100%

80%

80%

40%

40%

80%

40%

Data Mapping

DSR

Consent Management

Right to Object

Data Minimization

DPIA (Risk Assessment)

Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


0% 25% 50% 75% 100%

75%

95%

50%

50%

0%

0%

0% 25% 50% 75% 100%

80%

80%

30%

30%

0%

30%

0% 25% 50% 75% 100%

80%

80%

40%

40%

80%

40%

Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


0% 25% 50% 75% 100%

75%

95%

50%

50%

0%

0%

0% 25% 50% 75% 100%

80%

80%

30%

30%

0%

30%

0% 25% 50% 75% 100%

80%

80%

40%

40%

80%

40%

Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Data Mapping

DSR

Consent Management

Right to Object

Data Minimization


Startup

Growth

Enterprise


The most notable point about the startups we spoke was that none of them have yet implemented privacy infrastructure, although many were triall ing solutions during the time we were speaking with them. It ’s well-documented that privacy concerns among start-ups tend to be swallowed by the need to move fast and grow rapidly. In terms of expressed priorities, these companies are focused mostly on “consumer-facing” types of privacy practice, i .e. DSRs, whi le paying less heed to the deeper structural practices necessary to make a business compliant at scale.

Growth-stage companies tend to be more advanced in the way they are thinking about privacy. Due to increased head count, larger customer base, and the beginnings of well-developed CSR culture, they ’re much more l ikely to have deployed certain pieces of privacy infrastructure and begun thinking about the more challenging deep structural privacy operations that are foundational for long-term success.

Most large organizations have implemented some form of dedicated privacy tech solutions, and intend to purchase more. Additionally, their size and comparative high profi le necessitates that they think proactively about issues l ike Data Minimization and DPIA in a way that smaller enterprises do not.

Future Planning

Privacy related planning and procurement schedules.

Startup

Growth

Enterprise

DM DSR Consent Object

95%89%89%86%

5%11%11%

14%

Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase


80%68%71%73%

8%

19%13%9%

12%13%16%18%



68%67%66%57%

14%12%11%

17%

18%21%23%

26%



95%89%89%86%

5%11%11%

14%



80%68%71%73%

8%

19%13%9%

12%13%16%18%



68%67%66%57%

14%12%11%

17%

18%21%23%

26%



95%89%89%86%

5%11%11%

14%



80%68%71%73%

8%

19%13%9%

12%13%16%18%



68%67%66%57%

14%12%11%

17%

18%21%23%

26%


The below chart shows how companies at each stage of the l ife cycle are thinking about investment in privacy solutions. The priorities and stage of privacy infrastructure development show strong trends according to the growth stage of the company.


DSR & DPIA Processing Timeline

Volumes, method and resourcing for DSR.

Timeline, method and resourcing for DPIA.

No Process

0-7 Days

8-30 Days

1-3 Months

3+ Months

0% 10% 20% 30% 40% 50%

57%

10%

16%

7%

16%

94%

6% 0-5

23%

10%

35%

32%

6-15 16-60 61+

Timeline Method Resourcing

DSR volume, method, and process-time paints a very indicative picture of just how robust a business’s data operations are. Among our 85 respondents, 58% were dealing with over 1000 DSR’s per year. Though only 13% were processing these requests entirely manually, “Technology” can mean something as basic as having a custom

A DPIA is a crucial component of long-term compliance in data operations. DPIA’s have been to date de-prioritized due to the perception that they are high-effort, low-immediate reward. This is borne out by the numbers. 57% of respondents had no set process in place for a DPIA, and relatedly, 94% of DPIAs are handled entirely

Number Eng. or Data resources fully or partial-ly focused on privacy compliance obligations.

Collective resource power to resolve DSRs

script that a person runs manually to retrieve data records - it doesn’t suggest full automation. This makes sense as the median processing time for DSR response is over 2 weeks.

manually. The result is that they can be hugely resource intensive: 10% of respondents said that a DPIA would touch the desks of over 60 staff from start to f inish.

0-100

11-100

101-1000

1001-3000

3001-6000

6001+

0% 10% 20% 30% 40% 50%

8%

13%

Manual

Technology

0-15

23%

10%

35%

32%

16-30 31-50 50+87%

16%

34%

21%

16%

5%

DSR Volumes Over 12 Months Method Resourcing

15

Number of engineering or data resources fully or partially focused on resolving privacy compliance related requirements.

The below visualization demonstrates that privacy touches many team members in the modern business. While these numbers do not represent FTEs, it ’s striking to see that 10% of respondents have over 60 staff involved in privacy-related work. Anecdotally our respondents described a huge variety of privacy-related org charts - from one overworked DPO to 3-5 FTEs handling only DSR’s.

Engineering & Data Resources

10%

35%

32%

23%

0-5

6-15

16-60

61+


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time

Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time

Solution Radar

Analysis of solutions across complianceand operational dimensions.

We looked at f ive different solutions for data compliance and evaluated them across a set of criteria. Each solution was scored for its abi l ity to satisfy the criteria, which l ine up closely with the data goals an organization should have if it wishes to achieve best-practice data operations, as well as regulatory compliance.

The gamut of solutions evaluated stretch from entirely manual remediation (zero automated elements) to full-f ledged privacy infrastructure and development tools (almost fully automated with minimized human oversight).

The radar visualizes each solution’s eff icacy on a multi-axis radar chart to provide quick insight into the comparative strengths and weaknesses of a given method.

*Please note: the diagram to the right is for i l lustrative purposes only and does not contain actual response data.

Manual Remediation

Internal Tools

Privacy Workflow Tools

Privacy Ops Tools

Privacy Infra & dev Tools


Dimensional Criteria

Analysis criteria for each major dimension.

Mapping• Completeness: How comprehensively did the

solution chart the business infrastructure? How confident were the practitioners in their schema?

• Readiness: How long did it take for the mapping to be completed?

• Manual vs. Automated: How much of the ongoing mapping processes could be done automatically?

DSR & Consent• Accuracy: How accurate was the response

generated by these processes?• Execution Speed: How quickly could a response

be delivered?• Manual vs Automated: How much of the

process could be done automatically?

Data Minimization• Granularity : How f inely-grained is the control

that the solution grants to data access• Operating Cost: What does it take to keep the

solution running?• Complexity of Ops: How eff iciently does the

solution run and how much of the process can be run automatically?

DPIA• Integration Friction: How seamlessly does the

solution integrate into existing workflows?• Complexity of Ops: How eff iciently does the

solution run and how much of the process can be run automatically?

• Execution Speed: How quickly can a DPIA be completed?

CI/CD• Friction: How close is the solution to

preserving true CI/CD process?• Manual or Technology: How much of the

solution can be run automatically? • Governance & Policy : How close does the

solution come to true policy compliance?

Resource• Cost, Training, Internal vs External: These were

tall ied into a cumulative rating for the amount of resource each solution consumed internally.

Lead Time• Speed: Overall time for each solution to be

implemented across a business

Compliance• Level Compliance: What is the level of

compliance that the solution achieves upon implementation?

• Future Support: What is the solution’s suitabi l ity to be an ongoing, future-proofed solve for compliance?

• Ongoing Resource: Once the solution is implemented, what is the ongoing resource to achieved continued compliance?

• Completeness

• Readiness

• Manual vs. Automated

• Granularity

• Operating Cost

• Complexity of Ops

• Accuracy

• Execution Speed

• Manual vs. Automated

• Integration Friction

• Complexity of Ops

• Execution Speed

• Cost

• Training

• Internal & External

• Level Compliance

• Future Support

• Ongoing Resource

• Friction

• Manual or Technology

• Governance & Policy

• Time to ‘readiness’

Mapping Data Minimization

DSR & Consent DPIA Resource Compliance

CI/CD Lead Time


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time 49

Manual Remediation

Audits of data stores, business processes. Creation of scripts and runbooks for DSR. Consents manually audited and con-solidated and increased granularity in RBAC/CASBE for data access with continuous assessment of process.

This solution, as indicated in previous visuals, is often the solution of least resistance for teams that don’t have cross-disciplinary buy-in for data compliance investment. There are certain advantages to manual remediation beyond the obvious; because it requires real man-hours to execute, team members in this set-up often show comparatively strong knowledge and awareness of data privacy practices, as there’s no computer behind them to pick up the slack. That said, any manual system poses huge friction challenges for any data and engineering functions within a business. As previously noted, for most teams using this solution, important exercises l ike DPIAs are simply not feasible.

Lower lead-time to ‘readiness’.

High ongoing internal resource allocation.

Increased friction for data and eng. functions.

01

02

03

Key Takeaways :


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time 50

Internal Tools

Audit of existing systems. Develop own specif ication against policy requirements to bui ld, deploy, monitor, and maintain owned privacy product. Augmented by manual policy remediation where necessary.

Investment into a set of internal data privacy tools makes an important f irst step towards eff iciency in private operations. Scripts and custom tools are most often developed after a bespoke internal effort to identify and solve for bottlenecks in data processes. This means slightly longer lead time and cost for implementation with the payoff that some previously time-consuming processes around mapping, DSR, and consent become streamlined. For the most part, however, those eff iciencies do not extend into the more foundational aspects of CI/CD or DPIA processes.

Higher lead time to initial ‘readiness’

Lower manual resource; higher cost of maintenance.

Continued manual CI/CD process and compliance.

01

02

03

Key Takeaways :


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time 42

Privacy Workflow Tools

Workflow management tools for monitoring compliance, readiness, conducting assessments, producing audit trai ls and reports of ongoing privacy policy and processing activities. Simi lar to SOC readiness workflow tools.

Lower lead time to initial ‘readiness’

Lower manual resource; high ongoing maintenance.

Continued manual CI/CD process and compliance.

Workflow management tools allow rapid initial setup through a series of self-assessment questionnaires and readiness plans. These preprepared templates are suitable to accelerate manual efforts for data mapping and operationalizing DSR management but do not remove the need for extensive manual remediation.

Ultimately this results in rapid relative compliance for certain operations l ike mapping and DSR, but the high resource requirements persist. Existing workflow tools offer low ongoing support for other data operations.

01

02

03

Key Takeaways :


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time 31

Privacy Ops Tools

Privacy operations tools currently exist in categories of data discovery/mapping. DSR collection and management, consent monitoring, management and overall reporting.

Supports narrow set of privacy obligations.

Low resource requirements for specif ic obligations.

No support for go-forward data & eng. privacy.

Privacy Operations tools support ongoing operational tasks l ike data mapping and DSR management, and also offer automated data discovery for inventory mapping and automated data retrieval from known data stores. However, these automated tools have narrow use cases and are suitable for only those two compliance obligations.

These tools signif icantly reduce the resource requirements, with a moderate lead time to compliance in their respective categories. However overall compliance remains low if this is the only approach uti l ized, as current tools focus on only a narrow subset of data privacy issues.

01

02

03

Key Takeaways :


Mapping

DSR &Consent

Data Minimization

DPIA

CI/CD

Resource

Compliance

Lead Time 71

Privacy Infra & Dev Tools

Infrastructure middleware or core privacy applications deployed as part of overall data and eng. operations. Analogous to security tools providing support for specif ic privacy operations and ongoing compliance obligations.

Intensive upfront deployment process.

Policy & governance as part of CI/CD workflow.

High degree of compliance for all obligations.

Infrastructure solutions to data privacy insert privacy directives and governance and business rules within technology systems. This provides for high degrees of data privacy compliance across major tasks, along with low to moderate ongoing internal resource requirements. This approach has greatest lead time to full deployment, given its requirement for deployment, training and technical management. However once the lead-time ramp is overcome, the ongoing cost, resource and degree of compliance surpasses combinations of other options. It ’s a case larger upfront investment for greater long-term return.

01

02

03

Key Takeaways :


Insights & Conclusion

Allocation of budget by business unit for privacy technology solutions.

We embarked on this exercise to understand the different ways businesses are solving for privacy compliance, understand the tradeoffs between different solutions, and the particular obstacles that constrain success for a given solution. Among our 85 respondents, no two approaches to solving privacy compliance were the same. But there were some common threads and trends that we note below:

First, there’s a prevai l ing sense that organizations fall short of a state of privacy compliance. Only 12% of our respondents believed they had achieved an adequate state of compliance/readiness for the emerging regulated privacy landscape. This low number shouldn’t be surprising. Regulatory compliance in any domain doesn’t happen the moment legislation comes into effect. Rather it ’s a process that’s heavi ly inf luenced by the obstacles to adoption.

Companies are running out of time to tackle these obstacles. It ’s indisputable that incidents of GDPR enforcement wi ll continue to rise as citizens and regulators f ind their footing with the new legislation. The CCPA’s implementation in 2020 may follow a simi lar path with enforcement bui lding slowly over an initial period, then reaching a more active maturity. The trend toward enforcement should be

concerning, since we found that basic data mapping is sti l l the greatest concern for early-stage companies. An inabi l ity to get a handle on this core exercise makes it impossible to f i l l any of the higher-level compliance prescriptions with any certainty.

For example, it ’s impossible to know a DSR has been addressed comprehensively without certainty that the company data map is comprehensive and exhaustive.

Relatedly, more than 70% of companies in this study had no engineering solution to policy compliance. In other words, to the extent that these companies practice compliance, they rely heavi ly on man-hours and retrofitted processes to do the work. Of course, there are degrees of manual remediation, and many of these teams have adopted at least a set of workflow tools in attempts to increase eff iciency. While workflow tools offer the shortest lead time to readiness of all software solutions, they are a poor go-forward solution because they don’t solve for privacy compliance at a deep enough level to allow the organization to bui ld eff icient new data structures atop them. Furthermore, despite mandates for compliance there is no code-based workflow for CI/CD and data ops. In practice this means

that exercises required by law, for example DPIAs, are undertaken rarely or not at all , which hurts the long term-chances of bui lding a data privacy compliant business. There’s not a clear path to solving this dissonant state of affairs unless organizations commit to a deeper reassessment of their processes and protocols. To this end, dedicated Privacy Infrastructure has the longest deployment and lead time, but promotes the highest level of compliance and the lowest amount of long-term friction for CI/CD and data ops. While the investment can prove a challenging sell to those outside the cut and thrust of dai ly privacy operations, we continue to believe that only through deep and meaningful structural change can businesses bui ld a data operations for the coming decade and beyond.

ethyca.com

For a free consultation about your privacy compliance needs, contact the Ethyca team:

email: [email protected] phone: +1 917-830-3336

https://ethyca.com

mailto:survey%40ethyca.com?subject=Ethyca%202019%20Privacy%20Analysis%20Free%20Consultation%20Request

2019 privacy analysis - ethyca€¦ · data-driven systems. we wanted to share what we’ve learned...

Documents