Executive Q&A: The Current State of Enterprise Data Compliance
Four years on, compliance with GDPR is still problematic for many enterprises. CYTRIO’s co-founder and CEO Vijay Basani explains the current compliance landscape and what regulations may lie ahead.
- By Upside Staff
- July 14, 2022
Upside: In your latest report, CYTRIO found an overwhelming number of companies aren’t prepared for several data governance laws. Give us some of the highlights of your findings.
Vijay Basani: In our Q1 2022 research, we found that 90 percent of the companies we studied are not fully compliant with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the European Union’s General Data Protection Regulation (GDPR). In addition, we found that even more -- 95 percent of companies -- are using manual processes that are prone to error or take a lot of time to meet GDPR Data Subject Access Request (DSAR) requirements. Almost 20 percent of the companies that said they needed to comply with CCPA also said they need to comply with GDPR.
In Q4 2021, we studied 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion per year. In Q1 2022, we studied CCPA and GDPR DSAR compliance of an additional 1,570 U.S. companies, so we’ve researched 6,745 companies in all so far. Overall, we’ve found a massive state of unpreparedness for CCPA and GDPR compliance among U.S. companies.
What is DSAR and what are companies not ready for when it comes to DSAR?
A: DSAR stands for Data Subject Access Request. DSAR is the right for a consumer to have control over their personal information that companies are collecting. For example, under GDPR, those rights include the right to access, erase, not sell, and modify or correct, which means if you find out a company has incorrect information about you, you have the right to correct it.
However, these are only the most prominent rights. Under CCPA, there are similar rights such as the right to access which means the right to understand or know all the different types of personal information a company has collected about you, including categories of information such as who your information is being shared with.
Under CCPA’s right to delete, you have the right to ask a company to delete your information. CCPA’s “do not sell my information” right means a company cannot share your information with third parties.
When a consumer makes a valid request, the company is required to search through all data sources where they store personal information on consumers or individuals or employees. They must identify personal information that belongs to the requestor, correlate that with their identity, and provide them with a copy of their information.
If it's right-to-delete request, the company has to delete the information that belongs to the consumer. However, if there are legitimate reasons to keep the data, a company can deny a request to delete certain information. For example, if you have a service account or subscription with a company, if they believe they need your name and email address to service the account, they can deny requests to delete that information. Everything else will need to be deleted, though.
What does it mean for a company to not be fully compliant? What’s missing for these companies? What are they not prepared to do or aren’t doing now?
To comply with both CCPA and GDPR, it’s helpful to break it down into seven steps. To be fully compliant, a company needs to:
- Provide a mechanism for the data subject or the consumer to submit data requests.
- Identify and validate the identity of the requester.
- Automatically discover all the personal information that belongs to the requester to correlate that with their identity.
- Ensure it is reviewing and approving the data that is being shared with the consumer.
- Capture all the actions that are taken in the process of responding to the requests in a detailed audit log.
- Ensure it is securely sharing the information with the consumer so the company doesn’t create accidental data breaches.
- Automate the process in order to comply with all SLAs.
Companies are being fully compliant when they are strictly following this seven-step process. Requests need to be responded to in an efficient and timely manner. For example, under CCPA’s right to access or right to delete, you need to respond within 45 days of the request being submitted. For GDPR, the response time is 30 days.
When companies are not compliant, they are not prepared to respond to these requests. They are failing in one or more of the seven steps. Generally, “not compliant” means they don't provide an easy mechanism for consumers to submit requests. Either they are not automated and it's a very cumbersome process (which increases the probability of them violating the SLA’s response time requirements) or they aren’t capturing the information the way it should be captured -- all of this increasing the probabilities of errors or increasing response times, resulting in a lack of trust between the consumer and the company. It could also be that the manual processes could also create a higher probability of an accidental data breach.
When responding to requests manually, an enterprise must correlate a lot of information manually from tens or even hundreds of data sources. The response time is going to be very slow and the cost of responding is going to be enormously high. If you're keeping all of this activity in a manual log, maintaining it is very cumbersome and expensive.
GDPR went into effect four years ago -- in May of 2018. That’s a long time to be out of compliance. What’s the problem?
Every regulation takes three to five years or longer for most companies to be compliant. GDPR is mostly enforced within the EU by the EU member states. Even though some U.S. companies are required to comply with GDPR and enforcement started four years ago, actual penalties only started about two years. Under GDPR, there’s a prosecution process that takes time, which the pandemic delayed even further. We expect the same enforcement action and path under CCPA.
Data privacy regulations are more actively enforced than other regulations we have seen in the last 20 years -- whether that’s Gramm-Leach-Bliley Act (GLBA), Sarbanes Oxley, HIPAA, HITECH, or PCI DSS. Sarbanes Oxley and HIPAA have been in existence for over 20 years, and there’s a substantial percentage of companies that are not compliant because that’s the nature of any regulation.
We’ll always see a certain percentage of companies that will never comply; they will take the risk of being penalized. There’s always going to be a percentage of companies that take a long time before they comply, and there are companies that will be the first to comply.
I would say that about 10 to 20 percent of early adopter companies will comply with regulations because they feel that damage to their reputation is bad and they don’t want to take the risk. They don't want to be in the news. They want to do the right thing.
Fifty to 60 percent of companies (the majority) comply within the first two to five years once the regulation goes into effect. This is when broad adoption or compliance happens. There will always be 20 to 30 percent of companies that will never comply with any regulations. That's the nature of the compliance market. We're going to see a similar pattern with GDPR and CCPA.
Getting back to DSARs, what are the manual processes you’re referring to about GDPR DSAR?
When a company does not provide a mechanism for the consumer to easily submit a request, does not have an automated system to automatically discover personal information that belongs to the requester, and does not automate the process of orchestrating and responding to the request in an automated fashion, then we call this a manual process.
Companies are using manual processes that are email- or telephone-based. For example, in a company’s privacy policy, they'll state that if you want access to your data or your privacy rights, send your email to, for example, privacy@companyname.com. In this process, the company is forcing the user to send an email to the company. Then, someone at the company is manually monitoring and reading that email. They assign the task to an individual, and that individual captures the requirement. Then, they manually start the process of communicating with the data subject who submitted the request, asking them to verify their identity. The validator has a workbook or template that they use to respond to these requests.
The company has a list of all the data owners and where they store this information. The individual managing the request manually contacts each one of those data owners to request they search for this consumer’s personal information. Then they'll coordinate with them to receive all the information and correlate it manually. They put it all into a report and then share that information with the consumer manually. The individual is also keeping a logbook of when they did what, when they validated the identity, when they communicated with the consumer and the data source owners. All the activities are manually logged. This process literally takes eight to 10 hours on average. This is a very expensive, time-consuming, and error-prone process.
Although the impact isn’t limited to California-based companies, won’t they be the first targets of CPRA DSAR enforcement? Should California-based companies be worried the most?
Not necessarily. Even though CCPA applies to any California citizen, CCPA says that for any company that is over $25 million in revenue, or collects over 50,000 pieces of household information, or generates more than 50 percent revenue through the sale of personal information, it doesn't matter where the company is domiciled. The company is required to comply with CCPA.
The regulation has broad authority to penalize companies no matter where they're located as long as those companies are meeting any one of those three criteria. We believe that when the California Privacy Protection Agency (CPPA) starts to announce fines, they are not going to be focused on California-based companies only; they're going to be targeting all companies in the U.S.
Is there time for out-of-compliance companies to get into compliance, or is it too late no matter what they do?
Compliance is a journey. If you're not complying, you should start the process. The sooner you start, the faster you can get compliant, especially with data privacy regulations. Every company should think of data privacy compliance not just as checking the right box but as doing the right thing to help the company retain customers. Keep in mind that privacy is a basic human right. In the modern digital world, respecting your customers’ privacy will be critical for customer loyalty, revenue growth, customer satisfaction, and customer retention.
There was a research report that was published by IBM and Forrester Research a couple of years ago, which basically said that increasingly, executives are saying that complying with data privacy regulations and allowing consumers to exercise data privacy rights is very important for companies’ revenue growth, for a company’s ability to retain customers, and for customer satisfaction. In today's digital world, creating the consumer trust and transparency is very important. Having the ability to create trust and transparency goes a long way in making a meaningful impact on the bottom line of the company. This is a journey and not something you can build with the flip of a switch. It takes time, effort, and commitment.
Let’s look at the consequences. Are fines inevitable for these out-of-compliance companies? Are fines less onerous than the effort it will take to comply with these regulations?
If you're not in compliance and you're not doing anything about it, you're basically gambling -- taking a chance on not being caught. If there’s anything that we’ve learned from the cybersecurity market over the last 20 years, it’s that the bad guys are going after both big and small companies. They're industry agnostic, and any company can be breached at any time with no notice. That means the risk of being compromised is real, and once you're compromised, the risk of regulatory fines is extremely high. If there is a breach, I would say there’s an extremely high probability that you're going to be fined. Don't take chances. Gambling on not being caught is very dangerous for any company.
In today's digital world, big companies are collecting lots of information about consumers and leveraging that information to make smart business decisions. Creating trust and transparency between the company and the consumer whose data you're collecting is very important because if you do the right thing in protecting consumers’ data, consumers will be open to giving you their information. Your company will then be able to make smarter and better decisions. It comes down to doing the right thing and building trust. Complying with these regulations will be very helpful for companies in the long run.
Did you find any differences among the companies you studied? For example, did size or revenue or industry matter?
Yes. Larger companies over $100 million in revenue were a little better in terms of implementing an automated solution versus those below $100 million. That is understandable because larger companies tend to be more concerned about reputational damage, and they also have more resources. Most large companies are also used to regulatory compliance. This could explain why we saw an adoption rate of an automated solution a couple of percentage points higher in larger companies versus small to midsize companies.
We saw a similar pattern in companies above 1,000 employees versus companies below 1,000 with a couple of percentage point difference in the adoption rate.
In terms of verticals, consumer-facing companies or verticals -- companies that deal with consumers directly or B2C companies -- had a slightly higher adoption rate than did B2B companies. The top three most-compliant verticals we saw in the study were business services, retail, and finance. They were complying with these regulations at a higher rate than companies in industries such as legal or healthcare. CCPA gives certain exemptions to certain industries. For example, if a healthcare company is already complying with HIPAA or HITECH, they are exempt from CCPA.
Interestingly, we saw technology companies were more eager to comply with CCPA and GDPR. My guess is these technology companies engage in a lot of outbound and inbound marketing where they are collecting personal information about prospective clients and prospects.
What about locations? For example, were states where most tech companies are located more compliant than others?
It’s not necessarily where companies are located. We found the top three most-compliant states to be California, New York, and Texas, which are large states. Of the 6,700 companies in our research, almost 1,000 were from California, about 650 from New York, and about 500 companies from Texas. These companies are across all verticals, so given the size of these companies and the size of the economies we're dealing with from these states, it is understandable that we are going to see these states as the top three in compliance.
What other regulations are on the horizon that enterprises should be paying attention to now? Is compliance harder with the coming crop of regulations?
Interestingly, the U.S. has been a laggard in terms of data privacy regulations compared to the rest of the world, which is troubling. The U.S. does not have a federal data privacy regulation, even though GDPR went into effect more than four and a half years ago. There are a hundred other countries that adopted or implemented a modern data privacy regulation. Most of the western world and developed countries have adopted a stringent data privacy regulation. Gartner predicts more than 65 percent of the world’s population will be covered by a modern data privacy regulation by end of 2023.
Fortunately, California has taken the position that they want to be the leader in implementing a regulation concerning data privacy. Since the adoption of CCPA in California, we have seen dozens of states across the country looking to approve data privacy regulation at the state level. Since 2020, Virginia, Colorado, and Utah approved a data privacy regulation and another 20 states are in various stages of data privacy regulation . We expect between now and the next year and a half, several more states will be approving their own regulations.
What does this all mean? For the four states that have approved data privacy regulations, although there is a great commonality across them, there are also substantial differences. For a company that is doing business in more than one state in the U.S., companies have to worry about implementing state-specific compliance. If this happens, it is going to become extremely challenging for companies in the U.S. to do business in a variety of states, having to comply with each individual regulation. It's going to become a very cumbersome and painful process.
My advice to enterprises is don't wait for a particular state to adopt a particular regulation. Comply with the most comprehensive, most extensive regulation and enable it for all consumers irrespective of where they are domiciled. By doing that, you are not only building trust and transparency between your consumer and your company, you're also being a good steward of data privacy regulations, and you're going to be complying once rather than piecemeal for every state. The cost of complying with the most comprehensive regulation is going be substantially less than doing it state by state for 50 states.
Are there any other trends that enterprises should be aware of?
The big trend that we see is consumers are increasingly becoming more aware of their data privacy rights. Consumers are demanding that companies be transparent about how they're collecting information, and companies need to honor and respect the rights of consumers.
The other trend we see is that more data aggregators are popping up. They're going to become a nuisance for companies because they're going to make it really easy for consumers to be able to submit data requests across tens or hundreds of companies with very few clicks. Companies are going to see increasing numbers of data requests, and companies need to have an automated solution to respond to these requests in a timely manner.
One other trend we're seeing is that the number of requests coming from consumers in the U.S. is increasing at a good pace, and this also happened under GDPR. In the first year, there were not many requests, and since then, every year, the number of requests under GDPR has gone up meaningfully. Last year, on average, companies saw almost twice the number of requests under CCPA compared to 2020. That trend is going to continue.
[Editor’s note: Vijay Basani is the co-founder and CEO of CYTRIO. He is a serial entrepreneur with a track record in building successful businesses that deliver enterprise-class solutions. He has 30 years of data, privacy, and security experience, previously founding WebManage Technologies (acquired by NetApp) and AppIQ (acquired by HP). In 2020, he founded CYTRIO, a next-generation data privacy rights management company, to address companies’ challenges of meeting increasing data privacy regulations. Prior to CYTRIO, Vijay founded Cygilant (previously EiQ networks), a leading Security-as-a-Service provider. You can contact him via LinkedIn.