Many organizations do not know how to find, access, or control personal data. That inability to accurately manage personal data creates a few different organizational risks. For organizations with global operations, those risks are magnified.
The first major risk organizations face relates to compliance with laws. If an organization doesn’t know what personal data it has, where that personal data resides, and who has access to that personal data, compliance with data privacy laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the new Colorado Privacy Act (CPA) becomes nearly impossible.
GDPR, CCPA, and CPA all have one thing in common: they all require an organization to be able to produce records to an individual upon request within a relatively short time frame. They also require organizations to take action on an individual’s request to be forgotten – in other words, they all require an organization to delete an individual’s personal data if requested. If the organization doesn’t know what data they have or where it lives, they can’t action those requests. A failure to action an individual’s requests can lead to high fines and reputational damage.
For businesses that operate in multiple jurisdictions, managing these data subject access requests can be a major operational challenge. Manually processing these requests can cost upwards of $240,000 per million records, according to industry experts (Source: DataGrail’s 2020 Consumer Privacy Expectations Report).
While GDPR, CCPA, and CPA are some of the most recent examples of relatively new data privacy laws, more than 100 countries have implemented data privacy legislation and many of those laws offer similar data access rights. In the absence of a federal solution, many U.S. states are also debating and implementing their own data privacy laws. To meet these varying compliance requirements, it’s critical that an organization know what personal data they have and where it resides.
Another risk organizations onboard when they don’t know what personal data they have comes from data security incidents. A report from Imperva Research Labs shows that personal data is a top target for attackers. If an organization doesn’t have an accurate data map, it is incredibly challenging to assess the severity of a data security incident and to determine any associated reporting obligations. Trying to build a data map in the midst of a data security incident creates unnecessary pressure and is likely to lead to a misunderstanding of the associated risk. As a result, an organization may miss a regulatory reporting deadline, which, in the EU, can be as short as 72 hours.
An organization with an established, accurate data map can also leverage the benefits of a data retention program. If an organization knows its data inventory, it can begin to delete data it no longer needs. Once that data has been securely deleted, the organization can effectively shed the associated data security risk.
Another risk organizations face when they don’t know what data they have or where it resides comes from insider threats. When users are given privileges which are not necessary for their role, that risk increases. Having an understanding of user permissions and applying appropriate role-based access controls are effective ways to mitigate that risk.
The good news is that, in today’s market, tools exist to assist organizations with data discovery. By deploying these tools, organizations can locate and classify the types of data they have, can map where it resides, and can determine who has (or should not have) access. Some tools even include integrated features which assist with the management of data subject access requests. Based on the findings those tools provide, an organization can then develop a plan of action to reduce its overall data privacy risk. Making an investment in those tools can save an organization from substantial costs down the road, including fines, legal fees, and loss of reputation.