NIST Privacy Framework : Our Essential Data Protection Guide


The Analyst View: Quality Standards for Surefire Data Protection

Spirion recently enjoyed co-hosting a webinar, Privacy Grade: Three Quality Standards for Surefire Data Protection, with 451 Research, a part of S&P Global Market Intelligence. Jason Hodgert, Spirion Product Marketing Manager, was joined by Senior Research Analyst Paige Bartley, who covers the Data, AI & Analytics Channel at 451 Research, to share custom survey research highlights about how large enterprises are handling data privacy and protection.
451 Research administered the Spirion-commissioned online survey to IT decision-makers at large organizations (with 1,500+ employees) to understand the technological and workflow practices, pain points, and limitations related to data privacy functions, such as data discovery, data classification, and data remediation.
In today’s post, we’ll summarize the research’s key takeaways, based on real-world feedback from 375 enterprise security professionals, which were presented during the March 19 webinar with 451 Research.

The Days of Combative Security Practices on Worker Experience are Waning

In her opening remarks, Paige established the overarching theme of the research, stating: “The days in which information security practices can be combative toward the typical worker’s subjective experience are waning.” The 451 analyst acknowledged that the world view of information security is changing. It must now align with the organization’s overall objectives, so workers can access the information they need and are not unduly slowed down. “Data is driving business value,” she emphasized. “If workers cannot access the data they need in a frictionless manner, then it is slowing down business.”
This important theme—that data privacy efforts complement other data-driven initiatives—was a critical research insight. In fact, one of the study’s most statistically significant findings was the strong correlation between the scope of an enterprise privacy program with multiple data security, data privacy, and data use outcomes such as:

  • Better overall data management capabilities
  • More direct involvement of technical/security roles
  • Faster time to retrieve specific data
  • Less line-of-business user frustration in data access

Although it may initially seem counter-intuitive, the 451 Research survey uncovered the surprising fact that organizations with privacy programs spanning multiple regional regulations are better equipped to meet external Data Subject Access Requests (DSAR) deadlines while also supporting the data access requirements of internal line of business users without hindering their productivity. This reality suggests that strong data privacy programs likely increase overall awareness of data resources within the organization, contributing to better governance and outcomes across multiple data-driven initiatives.
Paige acknowledged that some of the findings might seem to go against the conventional wisdom of data privacy and data security practices. However, she stresses, “when you have research that goes against traditional wisdom, those are some of the most powerful findings that you can have.”

Privacy Grade: Three Quality Standards for Surefire Data Protection

Paige highlighted the organizational privacy dynamics, privacy pain points, data governance trends, and critical data privacy functionality that real organizations are experiencing today during the webinar. She also shared guidance on important data privacy and business metrics, and factors critical for success.
Here are some of the highlights from the session:

Organizational privacy dynamics

Survey results reveal that most organizations tend to have a dedicated group taking formal responsibility for data privacy. The functional ownership of who is in charge is strongly correlated to the privacy program’s scope and whether it addresses a single regulation or multiple regulations.
Organizations that are broader in scope and deal with multiple requirements from jurisdictions worldwide are more likely to treat data privacy as a function of security. In comparison, those that address only a single regulation are more likely to treat data privacy as a compliance function.
To support their data privacy programs, an overwhelming majority of organizations use dedicated data privacy software to coordinate and manage the formalized data privacy effort. However, 451 Research points out that the definition of data privacy software needs to “extend beyond technical data security mechanisms and support the persistent protection of data throughout an organization’s entire data estate: regardless of where data resides.” Paige also emphasized the need for data privacy software to support a broad swath of end-users with wide-ranging skills, backgrounds, and capabilities.

Privacy pain point trends

Data retrieval time remains a top pain point for privacy programs. The ability to retrieve specific data efficiently is a critical capability—not only for compliance but for more proactive insight, such as customer 360 experiences.
The survey results reveal that data retrieval time is also strongly correlated with the scope of privacy programs—whether they address a single regulation or multiple regulations— as a proxy for maturity. Privacy programs governed by multiple regulations are better positioned to retrieve data more quickly. Only 21% of organizations with a broad privacy scope reported that it would take “several days” or longer to retrieve data versus 44% of organizations governed by a single regulation.

Slow data retrieval times can result in missed deadlines for data subject access requests, regulatory penalties and fines, disproportionate strain on IT staff and resources, in addition to an inability to effectively and proactively leverage data in a timely way.

Data governance trends

A key paradox of the survey results suggests that broader and more mature data security and privacy programs do not slow down workers. In fact, organizations with privacy programs designed to address multiple regulations experience less friction with their line-of-business users.
Paige explains that mature data privacy programs serve to increase visibility and awareness of data resources within organizations. This provides more granular control, better permission policies and workflows, and greater awareness of appropriate data use.
She goes on to say, “Data governance, which underpins both data privacy efforts and the proactive organizational leverage of data, is at the core of successful data-driven initiatives. Data privacy programs can be an excellent functional opportunity to align these objectives within an organization so that programs and stakeholders across the business directly benefit.”

Data privacy and business metrics

Deciding the right metrics to measure is a critical part of a privacy program. However, Paige cautions against using metrics that are external in nature, such as avoidance of fines, because they fall outside an organization’s control.
Instead, she recommends using metrics that focus on variables the organization can directly exert control over. Examples of internal metrics may include time-oriented KPIs, such as time associated with data identification, time associated with data retrieval, and time associated with data remediation.

Critical data privacy functionality

When it comes to protecting data, appropriate mechanisms and consistency are essential. Organizational needs require variety in functionality, especially related to remediation capabilities, and the ability to scale to modern volumes of data is critical.
Most organizations report some level of automation to make their privacy programs both scalable and sustainable. The top-reported benefits to using automation in data privacy are: higher confidence in compliance capabilities (38%), improved time efficiency (36%), and the ability to protect more data (35%).

Critical success factors

Comprehensive data privacy programs are not just about technology; they must account for people and processes, in addition to supporting technology. Paige emphasized that no technology problem can be solved without first examining the interdependent dynamics of people and processes involved. People influence processes; processes influence the use of technology; and technology influences people’s behavior. The goal is to create a virtuous, positive feedback loop so that people, processes, and technology benefit each other.
She also stressed that communication across stakeholders is table-stakes. Data privacy is an interdisciplinary team sport that must consider the needs and objectives of various leadership roles, line-of-business users, marketing and sales, general IT practitioners, and security and privacy specialists.

About Paige Bartley, Senior Research Analyst, 451 Research, part of S&P Global Market Intelligence

In her current research, Paige analyzes the need for information governance to maximize the value of enterprise data amid proliferating global regulatory requirements and rising consumer expectations for data stewardship. With data privacy and compliance as a specialty focus, Paige explores how the enterprise can align technical requirements with business strategy, enabling more profitable and compliant leverage of data.

Want to learn more?

In case you missed the webinar, Privacy Grade: Three Quality Standards for Surefire Data Protection, you can watch it on-demand here.
Be sure to grab a copy of the 451 Research survey results, Deliver Effective Sensitive Data Protection with Three Must-Have Standards, here.