2019 privacy analysis - ethyca€¦ · data-driven systems. we wanted to share what we’ve learned...
TRANSCRIPT
2019 Privacy AnalysisApproaches to Data Privacy Compliance
Ethyca 2019 Privacy Analysis 2
2019 Privacy AnalysisEvery year at Ethyca we speak to experts, customers, decision makers and competitors to learn how we can increase trust in
data-driven systems.
We wanted to share what we’ve learned with you.
Ci ll ian Kieran CEO Ethyca Inc.
For a free consultation about your privacy compliance needs, contact the Ethyca team:
email: [email protected] phone: +1 917-830-3336
The World Has ChangedTech & Data has become a highly regulated industry.Like f inance, healthcare, transport and telecommunications.
CCPAFED
LGPD POPI
PPB
APP
APPI
PIPEDA
GDPR
4Ethyca 2019 Privacy Analysis
In a time of drastic change it is the learners who inherit the future.
The learned usually f ind themselves equipped to l ive in a world that no longer exists.”
~ Eric Hoffer
“ “
Ethyca 2019 Privacy Analysis 5
Contents .. .
2019 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Who We Spoke To ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Privacy Budget .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Regulatory Focus .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Software Budget .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Resourcing & Readiness .. . . . . . . . . . . . . . . . . . . . . . . . . 11Priorities .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Future Planning .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13DSR & DPIA Processing Timeline .. . . . . . . . . . . . 14Engineering & Data Resources .. . . . . . . . . . . . . . . 15Solution Radar .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Dimensional Criteria .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Manual Remediation .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Internal Tools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Privacy Workflow Tools .. . . . . . . . . . . . . . . . . . . . . . . . . 20Privacy Ops Tools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Privacy Infra & Dev Tools .. . . . . . . . . . . . . . . . . . . . . . . 22Insights & Conclusion .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Ethyca 2019 Privacy Analysis 6
2019 Privacy Analysis
Objective : Examine privacy compliance methodologies across multiple dimensions to identify the most effective approaches to scalable compliance.
In 2019, discussion about privacy and compliance is everywhere. In the news, on social media, in the boardroom and at the water cooler. Everyone seems to agree that it ’s a key challenge to enterprises of all shapes and sizes. But no one agrees on how best to tackle it.
The nature of the privacy problem for business is unique for a number of reasons, but to sum up: most decision-makers have diff iculty understanding the true costs and the true benefits of compliance-related efforts.
Compliance Stage
Timeline
Method
Budget
Stakeholders
Industry Verticals
Our objective was to understand the different ways businesses are solving for privacy compliance, and understand which ways are proving most effective. We also wanted to grasp the tradeoffs businesses face in choosing between different privacy solutions, and the particular obstacles that constrain success for a given solution. Lastly, we wanted to understand just how much attention organizations are paying to privacy. How does the amount of privacy-devoted resource vary by business size? How many businesses are content to simply manage risk and expend little to no effort on bringing their privacy infrastructure up to code? We found an interesting array of answers to each of these questions, and share them all here, along with key insights and takeaways yielded by our research.
Our hope is that this document wi ll help lend some clarity to the cost-benefit privacy compliance discussions that are taking place within businesses all over the United States, and indeed the world. It ’s the disti l led product of long hours spent gathering, standardizing, and analyzing valuable information from those on the front l ines of the issue, and the result is learnings that can be applied to the many real privacy challenges businesses face today.
In short, we hope this document helps inform your discussions in the same way that it ’s helped inform ours, and ultimately empowers your organization to practice better decision-making around data privacy compliance.
On the cost side, there’s uncertainty around everything from resource to lead-time to infrastructure overhaul. On the benefit side, it can be diff icult to understand upfront how meaningfully a given effort wi ll improve eff iciency, reporting, or actual level of compliance.
To understand the magnitude of the privacy compliance challenge, we spoke to a large group of business stakeholders - 85 to be exact - who are all trying to deal with it. They represent a cross-section of industries, company sizes, and approaches.
Ethyca 2019 Privacy Analysis 7
CISOGeneral Counsel
Privacy Team
Lead Eng.
48% 23% 43% 15%
85Industry
Sample Size
Automotive
eCommerce
Manufacturing
Marketplace
Marketing
SaaS
Platform
Ad Tech / Data Sales
06
Growth
Large
Startup25%
40%
30%
85Industry
Sample Size
85Industry
Sample Size
200 - 499 500+0 -99 100 - 199
12% 18% 43% 27%
85 Companies
Company Life Stage
Company Scale
Surveyed Stakeholders
Data sourced from 85 companies across industry verticals.
Companies represented by headcount.
Survey conducted across all major responsible stakeholders for Privacy Compliance.
Companies assessed by life stage.
Who We Spoke To
Surveying a breadth of sectors - from legacy industrial enterprises in manufacturing and automotive to agi le startups bui lding SAAS and eCommerce solutions -highlighted a rich variety of privacy priorities across different verticals.
Stakeholders were drawn from a broad cross-section of roles and responsibi l ities, for example: General Counsel, Privacy Teams and GRC Officers, Development Teams, Project Managers, and IT Security Team members. In most cases, we had a single point of contact for a given company but in some cases, we spoke to multiple stakeholders across different departments.
* Some companies provided responses from more than one stakeholder group.
We wanted to speak to companies across various stages of the growth life cycle. We grouped using standard Tech Sector classif ications, but it ’s important to note we didn’t speak only to Tech companies - many of the companies who spoke with us were from legacy Industrial, Retai l, and Manufacturing sectors.
As the scale of challenge posed by privacy compliance is strongly inf luenced by headcount, we also wanted to make sure we were speaking with companies over a large sample variance in team size.
We bui lt our respondent sample with the goal of obtaining the maximum variety of perspectives. Our group was drawn from a mixture of existing clients, discovery partners, industry connections, and respondents to personal reach-outs from our research team.
Ethyca 2019 Privacy Analysis 8
$3.6M
$490K$240K
Growth LargeStartup
Privacy Budget
Assessed average annual privacy compliance budget by organization l ife stage.
The above graphic is a visualization to give a sense of budgets that companies devote to privacy depending on life cycle stage. The numbers in the center are not averages, rather median approximations to provide a ballpark measure for each of the l ife cycle stages.In practice we found that some “Startups” spend comfortably into six f igures on privacy compliance, but many also devote exactly zero dollars to the task. Whereas in the “Large”
A different way to visualize this data is to group the companies surveyed into buckets by range of privacy budget. The takeaway here is that whi le only 8% of those surveyed spend less than $50k annually, over 50% of the companies we spoke with have an annual privacy budget greater than $100k.
category, there is considerable top-side variance to budgets; the world’s biggest companies are spending signif icantly more the 3.6 mill ion per year on privacy (One recent PWC audit estimated Fortune 500 Privacy budgets extending up to $100 mill ion annually).
$0-$50k
$50-$100k
$100-$250k
$250k-$1M
$1M+
17%
8%
22%
19%
34%
$100 - $250k
Concentration split based on total budget for Privacy.
Ethyca 2019 Privacy Analysis 9
Regulatory FocusWith impending privacy regulation roll ing out in multiple global markets, we wanted to see the markets that were capturing our respondents’ attention. Unsurprisingly, Europe and California were reported as a focus by all polled. There was l imited attention being given to some of the less-publicized privacy territories, suggesting that many respondents are thinking about compliance in a region-specif ic manner.
CCPAGDPR
PIPEDA
OTHER
LGPD
PPB
PIPA
POPI
JAA
100% 100%
10%
70%
12%
12%
0%
0%
0%
Ethyca 2019 Privacy Analysis 10
40%
20%
10%
0%
30%
Shared (Legal & IT)
Legal IT Security Unassigned
25%
0%
38%
12%
25%
Software Budget
Allocation of budget by business unit for privacy technology solutions.
Budget jointly held by IT orLegal/Compliance.
Startups had not made budgetaryallocation for privacy technology.
Across respondents, we note that a variety of decision-makers control the purse strings for privacy spending. The most common scenario is that procurement decisions wi ll be made by a group featuring a mix of legal and IT team members. However, it ’s also common to see privacy-related budget controlled solely by IT departments.
Striking in these results is the fact that a higher portion of respondents had privacy budgets “Unassigned” compared to having a dedicated security team to oversee Privacy spending. Another piece of context worth noting is that budget control inf luences the nature of privacy spending.
We observe that, due to the differing nature of their concerns, legal teams tend to be more concerned with reporting and transparency whereas IT teams emphasize frictionless integration into workflow. These priorities can lead to hugely varying points of emphasis in the privacy solutions that different companies implement.
01
02
Key Takeaways :
Ethyca 2019 Privacy Analysis 11
A large majority of respondents resources and managed privacy completely internally. This isn’t surprising, but combined with the knowledge that few of these companies have dedicated Security teams, it ’s somewhat concerning. A smaller portion outsourced at least some of their compliance operations to external providers.
Larger companies are more l ikely to have dedicated privacy practitioners. It ’s worth bearing in mind that the data thresholds for being subject to GDPR and CCPA regulations are relatively low. In our anecdotal observation, many companies with no dedicated privacy practitioner would exceed the thresholds for both pieces of legislation.
Manual remediation is sti l l the dominant mode for handling privacy operations. Though the number of companies incorporating some software assistance into their operations is growing, the achievement of fully automated privacy operations is, for now not possible, due to both technological and organizational constraints.
These are self-reported estimates from our respondents. The neat picture presented here belies the variety of responses we received when the question was posed verbally, but when forced to chose between 3, 6, and 12 months, most respondents felt comfortable selecting the 3-month window.
Resourcing & Readiness
Identifying the most common approaches to privacy operations.
Assigning responsibi l ity and readiness timelines.
How do you currently resource & manage Privacy?
“We’ve bui lt manual solutions in-house to have the minimum compliance in the case of a regulator checking”
- Growth Stage GC
Representation of companieswith dedicated privacypractitioner.
Is this manual, software systems or both?
Average timeline to readiness(i.e. internal definition ofcompliant)
Internally
Externally
Both
0% 25% 50% 75% 100%
75%
0%
Manual
Software
Both
0% 25% 50% 75% 100%
75%
0%
25% 25%
Startups
Growth
Enterprise
0% 25% 50% 75% 100%
38%
0%
84%
3 Mths
6 Mths
12 Mths
0% 25% 50% 75% 100%
60%
12%
28%
Ethyca 2019 Privacy Analysis 12
As demonstrated in previous visuals, startups in general are least l ikely to have formalized data privacy resources and processes. Given that overall low level of priority, we see that they tend to pay closest attention to the “consumer-facing” aspects of privacy compliance. Data Subject Requests in particular are afforded highest priority in the startup category.
“We care about privacy and hired a legal f irm to be bare minimum GDPR compliant however aware that we are not fully compliant”- Startup CEO
“Immediate goal is to be 80% compliant to cover the highest risk obligations” - Growth Stage GC
“We were ok to resolve most GDPR requirements manually but in parallel we’re also looking to what parts can be automated as we prepare for CCPA - I foresee the data governance being sliced up and decentralized due to the size of our organization”- Enterprise Sr. Privacy Practitioner
Businesses at the growth stage of the l ife cycle are beginning to think more holistically about scaling their data operations. In particular we began to see attention paid to Data Protection Impact Assessment (DPIA), a measure is a distinctly long-term, process-driven component of good privacy practice.
Whereas startups want to move quickly, large organizations have no choice but to move slowly and pay more attention to the deeper parts of privacy compliance. Data Minimization is a particularly challenging task for large organizations, who often have vast, disparate stores of data with l ittle way to coordinate access and permissions in a streamlined fashion.
Priorities
Prioritization of compliance obligations.
0% 25% 50% 75% 100%
75%
95%
50%
50%
0%
0%
0% 25% 50% 75% 100%
80%
80%
30%
30%
0%
30%
0% 25% 50% 75% 100%
80%
80%
40%
40%
80%
40%
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
0% 25% 50% 75% 100%
75%
95%
50%
50%
0%
0%
0% 25% 50% 75% 100%
80%
80%
30%
30%
0%
30%
0% 25% 50% 75% 100%
80%
80%
40%
40%
80%
40%
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
0% 25% 50% 75% 100%
75%
95%
50%
50%
0%
0%
0% 25% 50% 75% 100%
80%
80%
30%
30%
0%
30%
0% 25% 50% 75% 100%
80%
80%
40%
40%
80%
40%
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Data Mapping
DSR
Consent Management
Right to Object
Data Minimization
DPIA (Risk Assessment)
Startup
Growth
Enterprise
Ethyca 2019 Privacy Analysis 13
The most notable point about the startups we spoke was that none of them have yet implemented privacy infrastructure, although many were triall ing solutions during the time we were speaking with them. It ’s well-documented that privacy concerns among start-ups tend to be swallowed by the need to move fast and grow rapidly. In terms of expressed priorities, these companies are focused mostly on “consumer-facing” types of privacy practice, i .e. DSRs, whi le paying less heed to the deeper structural practices necessary to make a business compliant at scale.
Growth-stage companies tend to be more advanced in the way they are thinking about privacy. Due to increased head count, larger customer base, and the beginnings of well-developed CSR culture, they ’re much more l ikely to have deployed certain pieces of privacy infrastructure and begun thinking about the more challenging deep structural privacy operations that are foundational for long-term success.
Most large organizations have implemented some form of dedicated privacy tech solutions, and intend to purchase more. Additionally, their size and comparative high profi le necessitates that they think proactively about issues l ike Data Minimization and DPIA in a way that smaller enterprises do not.
Future Planning
Privacy related planning and procurement schedules.
Startup
Growth
Enterprise
DM DSR Consent Object
95%89%89%86%
5%11%11%
14%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
80%68%71%73%
8%
19%13%9%
12%13%16%18%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
68%67%66%57%
14%12%11%
17%
18%21%23%
26%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
95%89%89%86%
5%11%11%
14%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
80%68%71%73%
8%
19%13%9%
12%13%16%18%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
68%67%66%57%
14%12%11%
17%
18%21%23%
26%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
95%89%89%86%
5%11%11%
14%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
80%68%71%73%
8%
19%13%9%
12%13%16%18%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
DM DSR Consent Object
68%67%66%57%
14%12%11%
17%
18%21%23%
26%
Purchased, Tested & ImplementedPurchased, Proof of Concept PhasePlanning to Purchase
The below chart shows how companies at each stage of the l ife cycle are thinking about investment in privacy solutions. The priorities and stage of privacy infrastructure development show strong trends according to the growth stage of the company.
Ethyca 2019 Privacy Analysis 14
DSR & DPIA Processing Timeline
Volumes, method and resourcing for DSR.
Timeline, method and resourcing for DPIA.
No Process
0-7 Days
8-30 Days
1-3 Months
3+ Months
0% 10% 20% 30% 40% 50%
57%
10%
16%
7%
16%
94%
6% 0-5
23%
10%
35%
32%
6-15 16-60 61+
Timeline Method Resourcing
DSR volume, method, and process-time paints a very indicative picture of just how robust a business’s data operations are. Among our 85 respondents, 58% were dealing with over 1000 DSR’s per year. Though only 13% were processing these requests entirely manually, “Technology” can mean something as basic as having a custom
A DPIA is a crucial component of long-term compliance in data operations. DPIA’s have been to date de-prioritized due to the perception that they are high-effort, low-immediate reward. This is borne out by the numbers. 57% of respondents had no set process in place for a DPIA, and relatedly, 94% of DPIAs are handled entirely
Number Eng. or Data resources fully or partial-ly focused on privacy compliance obligations.
Collective resource power to resolve DSRs
script that a person runs manually to retrieve data records - it doesn’t suggest full automation. This makes sense as the median processing time for DSR response is over 2 weeks.
manually. The result is that they can be hugely resource intensive: 10% of respondents said that a DPIA would touch the desks of over 60 staff from start to f inish.
0-100
11-100
101-1000
1001-3000
3001-6000
6001+
0% 10% 20% 30% 40% 50%
8%
13%
Manual
Technology
0-15
23%
10%
35%
32%
16-30 31-50 50+87%
16%
34%
21%
16%
5%
DSR Volumes Over 12 Months Method Resourcing
15
Number of engineering or data resources fully or partially focused on resolving privacy compliance related requirements.
The below visualization demonstrates that privacy touches many team members in the modern business. While these numbers do not represent FTEs, it ’s striking to see that 10% of respondents have over 60 staff involved in privacy-related work. Anecdotally our respondents described a huge variety of privacy-related org charts - from one overworked DPO to 3-5 FTEs handling only DSR’s.
Engineering & Data Resources
10%
35%
32%
23%
0-5
6-15
16-60
61+
Ethyca 2019 Privacy Analysis 16
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time
Solution Radar
Analysis of solutions across complianceand operational dimensions.
We looked at f ive different solutions for data compliance and evaluated them across a set of criteria. Each solution was scored for its abi l ity to satisfy the criteria, which l ine up closely with the data goals an organization should have if it wishes to achieve best-practice data operations, as well as regulatory compliance.
The gamut of solutions evaluated stretch from entirely manual remediation (zero automated elements) to full-f ledged privacy infrastructure and development tools (almost fully automated with minimized human oversight).
The radar visualizes each solution’s eff icacy on a multi-axis radar chart to provide quick insight into the comparative strengths and weaknesses of a given method.
*Please note: the diagram to the right is for i l lustrative purposes only and does not contain actual response data.
Manual Remediation
Internal Tools
Privacy Workflow Tools
Privacy Ops Tools
Privacy Infra & dev Tools
Ethyca 2019 Privacy Analysis 17
Dimensional Criteria
Analysis criteria for each major dimension.
Mapping• Completeness: How comprehensively did the
solution chart the business infrastructure? How confident were the practitioners in their schema?
• Readiness: How long did it take for the mapping to be completed?
• Manual vs. Automated: How much of the ongoing mapping processes could be done automatically?
DSR & Consent• Accuracy: How accurate was the response
generated by these processes?• Execution Speed: How quickly could a response
be delivered?• Manual vs Automated: How much of the
process could be done automatically?
Data Minimization• Granularity : How f inely-grained is the control
that the solution grants to data access• Operating Cost: What does it take to keep the
solution running?• Complexity of Ops: How eff iciently does the
solution run and how much of the process can be run automatically?
DPIA• Integration Friction: How seamlessly does the
solution integrate into existing workflows?• Complexity of Ops: How eff iciently does the
solution run and how much of the process can be run automatically?
• Execution Speed: How quickly can a DPIA be completed?
CI/CD• Friction: How close is the solution to
preserving true CI/CD process?• Manual or Technology: How much of the
solution can be run automatically? • Governance & Policy : How close does the
solution come to true policy compliance?
Resource• Cost, Training, Internal vs External: These were
tall ied into a cumulative rating for the amount of resource each solution consumed internally.
Lead Time• Speed: Overall time for each solution to be
implemented across a business
Compliance• Level Compliance: What is the level of
compliance that the solution achieves upon implementation?
• Future Support: What is the solution’s suitabi l ity to be an ongoing, future-proofed solve for compliance?
• Ongoing Resource: Once the solution is implemented, what is the ongoing resource to achieved continued compliance?
• Completeness
• Readiness
• Manual vs. Automated
• Granularity
• Operating Cost
• Complexity of Ops
• Accuracy
• Execution Speed
• Manual vs. Automated
• Integration Friction
• Complexity of Ops
• Execution Speed
• Cost
• Training
• Internal & External
• Level Compliance
• Future Support
• Ongoing Resource
• Friction
• Manual or Technology
• Governance & Policy
• Time to ‘readiness’
Mapping Data Minimization
DSR & Consent DPIA Resource Compliance
CI/CD Lead Time
Ethyca 2019 Privacy Analysis 18
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time 49
Manual Remediation
Audits of data stores, business processes. Creation of scripts and runbooks for DSR. Consents manually audited and con-solidated and increased granularity in RBAC/CASBE for data access with continuous assessment of process.
This solution, as indicated in previous visuals, is often the solution of least resistance for teams that don’t have cross-disciplinary buy-in for data compliance investment. There are certain advantages to manual remediation beyond the obvious; because it requires real man-hours to execute, team members in this set-up often show comparatively strong knowledge and awareness of data privacy practices, as there’s no computer behind them to pick up the slack. That said, any manual system poses huge friction challenges for any data and engineering functions within a business. As previously noted, for most teams using this solution, important exercises l ike DPIAs are simply not feasible.
Lower lead-time to ‘readiness’.
High ongoing internal resource allocation.
Increased friction for data and eng. functions.
01
02
03
Key Takeaways :
Ethyca 2019 Privacy Analysis 19
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time 50
Internal Tools
Audit of existing systems. Develop own specif ication against policy requirements to bui ld, deploy, monitor, and maintain owned privacy product. Augmented by manual policy remediation where necessary.
Investment into a set of internal data privacy tools makes an important f irst step towards eff iciency in private operations. Scripts and custom tools are most often developed after a bespoke internal effort to identify and solve for bottlenecks in data processes. This means slightly longer lead time and cost for implementation with the payoff that some previously time-consuming processes around mapping, DSR, and consent become streamlined. For the most part, however, those eff iciencies do not extend into the more foundational aspects of CI/CD or DPIA processes.
Higher lead time to initial ‘readiness’
Lower manual resource; higher cost of maintenance.
Continued manual CI/CD process and compliance.
01
02
03
Key Takeaways :
Ethyca 2019 Privacy Analysis 20
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time 42
Privacy Workflow Tools
Workflow management tools for monitoring compliance, readiness, conducting assessments, producing audit trai ls and reports of ongoing privacy policy and processing activities. Simi lar to SOC readiness workflow tools.
Lower lead time to initial ‘readiness’
Lower manual resource; high ongoing maintenance.
Continued manual CI/CD process and compliance.
Workflow management tools allow rapid initial setup through a series of self-assessment questionnaires and readiness plans. These preprepared templates are suitable to accelerate manual efforts for data mapping and operationalizing DSR management but do not remove the need for extensive manual remediation.
Ultimately this results in rapid relative compliance for certain operations l ike mapping and DSR, but the high resource requirements persist. Existing workflow tools offer low ongoing support for other data operations.
01
02
03
Key Takeaways :
Ethyca 2019 Privacy Analysis 21
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time 31
Privacy Ops Tools
Privacy operations tools currently exist in categories of data discovery/mapping. DSR collection and management, consent monitoring, management and overall reporting.
Supports narrow set of privacy obligations.
Low resource requirements for specif ic obligations.
No support for go-forward data & eng. privacy.
Privacy Operations tools support ongoing operational tasks l ike data mapping and DSR management, and also offer automated data discovery for inventory mapping and automated data retrieval from known data stores. However, these automated tools have narrow use cases and are suitable for only those two compliance obligations.
These tools signif icantly reduce the resource requirements, with a moderate lead time to compliance in their respective categories. However overall compliance remains low if this is the only approach uti l ized, as current tools focus on only a narrow subset of data privacy issues.
01
02
03
Key Takeaways :
Ethyca 2019 Privacy Analysis 22
Mapping
DSR &Consent
Data Minimization
DPIA
CI/CD
Resource
Compliance
Lead Time 71
Privacy Infra & Dev Tools
Infrastructure middleware or core privacy applications deployed as part of overall data and eng. operations. Analogous to security tools providing support for specif ic privacy operations and ongoing compliance obligations.
Intensive upfront deployment process.
Policy & governance as part of CI/CD workflow.
High degree of compliance for all obligations.
Infrastructure solutions to data privacy insert privacy directives and governance and business rules within technology systems. This provides for high degrees of data privacy compliance across major tasks, along with low to moderate ongoing internal resource requirements. This approach has greatest lead time to full deployment, given its requirement for deployment, training and technical management. However once the lead-time ramp is overcome, the ongoing cost, resource and degree of compliance surpasses combinations of other options. It ’s a case larger upfront investment for greater long-term return.
01
02
03
Key Takeaways :
Ethyca 2019 Privacy Analysis 23
Insights & Conclusion
Allocation of budget by business unit for privacy technology solutions.
We embarked on this exercise to understand the different ways businesses are solving for privacy compliance, understand the tradeoffs between different solutions, and the particular obstacles that constrain success for a given solution. Among our 85 respondents, no two approaches to solving privacy compliance were the same. But there were some common threads and trends that we note below:
First, there’s a prevai l ing sense that organizations fall short of a state of privacy compliance. Only 12% of our respondents believed they had achieved an adequate state of compliance/readiness for the emerging regulated privacy landscape. This low number shouldn’t be surprising. Regulatory compliance in any domain doesn’t happen the moment legislation comes into effect. Rather it ’s a process that’s heavi ly inf luenced by the obstacles to adoption.
Companies are running out of time to tackle these obstacles. It ’s indisputable that incidents of GDPR enforcement wi ll continue to rise as citizens and regulators f ind their footing with the new legislation. The CCPA’s implementation in 2020 may follow a simi lar path with enforcement bui lding slowly over an initial period, then reaching a more active maturity. The trend toward enforcement should be
concerning, since we found that basic data mapping is sti l l the greatest concern for early-stage companies. An inabi l ity to get a handle on this core exercise makes it impossible to f i l l any of the higher-level compliance prescriptions with any certainty.
For example, it ’s impossible to know a DSR has been addressed comprehensively without certainty that the company data map is comprehensive and exhaustive.
Relatedly, more than 70% of companies in this study had no engineering solution to policy compliance. In other words, to the extent that these companies practice compliance, they rely heavi ly on man-hours and retrofitted processes to do the work. Of course, there are degrees of manual remediation, and many of these teams have adopted at least a set of workflow tools in attempts to increase eff iciency. While workflow tools offer the shortest lead time to readiness of all software solutions, they are a poor go-forward solution because they don’t solve for privacy compliance at a deep enough level to allow the organization to bui ld eff icient new data structures atop them. Furthermore, despite mandates for compliance there is no code-based workflow for CI/CD and data ops. In practice this means
that exercises required by law, for example DPIAs, are undertaken rarely or not at all , which hurts the long term-chances of bui lding a data privacy compliant business. There’s not a clear path to solving this dissonant state of affairs unless organizations commit to a deeper reassessment of their processes and protocols. To this end, dedicated Privacy Infrastructure has the longest deployment and lead time, but promotes the highest level of compliance and the lowest amount of long-term friction for CI/CD and data ops. While the investment can prove a challenging sell to those outside the cut and thrust of dai ly privacy operations, we continue to believe that only through deep and meaningful structural change can businesses bui ld a data operations for the coming decade and beyond.
ethyca.com
For a free consultation about your privacy compliance needs, contact the Ethyca team:
email: [email protected] phone: +1 917-830-3336