DATA PRIVACY REPORT: Data Privacy Priorities, 2021

DATA PRIVACY REPORT:Data Privacy Priorities, 2021

DATA PRIVACY REPORT:Executive Summary

Data privacy and protection strategies not only play a criticalrole in upkeeping the health of an organization but alsominimize the legal maelstrom of non-regulatory compliance.As end users - consumers, customers, employees, andpartners - wake up to their data privacy rights, organizationsneed sound data privacy programs; any unlawful or shadytactics or costly data breaches and reputations can bedestroyed.Companies are compelled to invest in a data privacyinfrastructure that incorporates privacy by design by sortingthrough its vast stores of data. ServiceNow and BigIDsurveyed IT and engineering leaders to gauge how privacy is akey corporate initiative at their organizations and what theirstrategies are to overcome the challenges of this new securitythreshold.Read on to get the insights on who’s responsible, whatleaders are looking for in applying data privacy techniquesand technologies , and what their greatest challenges are along with how to address them.

IT leaders are taking data privacy seriously, but theresponsibility for successful initiatives remains largely distributed.The responsibility for driving success of data data privacy initiatives falls under a variety of teams. Mostcommonly it is housed under security and risk teams (29%), but it remains a collaborative responsibilityacross governance, risk, and compliance for one-quarter of respondents (25%).Who is responsible for driving the success of yourdata privacy initiatives across your organization?29%Security and/or RiskCollaborative effort acrossGovernance, Risk, and Compliance25%22%Privacy, Legal and/or Compliance20%Data GovernanceThere is no team4%

What drives privacy initiatives?The top 3 goals driving privacy initiatives in their organizations are data privacy and governance (78%),assessing and managing risk (74%), and compliance or managing regulatory change (66%).What are the main goals driving privacy initiatives within your organization?Data privacy and governance78%Assessing and managing riskCompliance or managing regulatory change74%66%Additional responses include breach analysis and threats (48%), data discovery and management (40%),and supplier privacy assurance (13%).

Success metrics for privacy programsWhen it comes to measuring the success of their privacy programs, most of the leaders surveyed areusing metrics that track security threat activity; 64% measure their enterprise-wide risk exposure, 54%measure the trend of security activities, 48% measure incident numbers, and 37% measure DSARs.Meanwhile, 63% are tracking their privacy program maturity to have a more holistic view of their securitythreats and past accomplishmentsWhat are the key metrics that you are looking at whenmeasuring the success of your privacy program?64%A comprehensive enterprise risk assessmentAnalysis of overall organization riskand privacy program maturity63%Assessment activitiese.g. Records of Processing, Privacy Impact Assessments,Transfer Impact Assessments, etc.54%48%In-depth incident numbers & trendsData subject access requests (DSARs) and/orcustomer satisfaction regarding DSARs37%

The majority of respondents (61%) are taking a proactive approach to overcoming privacy shortcomingsby identifying and preventing the problems. However, a third of the respondents (33%) are simply beingreactive to privacy threats by responding to incidents after they occur.How does your organization approach a privacy by design strategy?Proactive (Making strategic decisions toidentify and prevent potential problems)53%Reactive (Reacting and responding to asituation without taking any initiative ormaking strategic decisions)Super proactive (Taking full and completeresponsibility while optimizing the processfor the best outcome)Inactive (Taking No Actions)33%8%8%

Heavy reliance on manual tools is slowing down the ability toproactively manage sensitive and regulated dataExcel sheets (53%) and data mapping or visualization tools such as Vizio (41%) are most commonly usedto manage data privacy and compliance. However, commercial or dedicated data privacy tools are alsobecoming increasingly prevalent as 51% of respondents admit to using them.What tools does your organization currently use to managedata privacy and compliance?53%Excel sheets51%Commercial productVisualization/data mapping tools (Vizio)41%Internal build/customizedWord documents38%28%

Organizations struggle to maintain an accurate data inventory acrosstheir entire data landscapeWith a heavy reliance on manual tools, many respondents are simply scanning and identifying data instructured sources (40%), have yet to analyze data in both structured and unstructured locations (12%),or have no initiative in place to scan sensitive data (4%).Which of the following best describes your current approach to protecting andmanaging sensitive and regulated data?4%I'm identifying sensitive data stored acrossstructured & unstructured sourcesI've been scanning and identifying my datastored in structured data sources likeSQL databases, spreadsheets, online formsI'm concerned about data in textdocuments, emails, pdfs, and image files,but I'm not analyzing that at the momentThere is no initiative or programmonitoring sensitive data.12%44%40%

Which regulatory requirement has been the most difficult to fullycomply with?Amongst the many regulatory compliance requirements, more than a third (39%) find “Record ofProcessing Activities (GDPR - Article 30)” the most difficult one to fully comply with. This is followeddistantly by Data Protection Impact Assessment (17%), incident response/reporting (15%) and consentmanagement (13%).Records of Processing Activity (RoPA)3%Data Protection Impact Assessment (DPIA)13%Incident response & reporting39%13%15%17%Data Subject Access Request (DSAR)Consent ManagementOther

What has been the most challenging when documentingRecords of Processing Activities?The most challenging part of documenting Records of Processing Activities, according to 42% of thesurvey respondents, is identifying the many data owners. Documenting data processes (23%) anddeveloping consistent data workflows and mapping diagrams (19%) are also common challenges todocumenting Records of Processing Activities.Identifying the data owners & process4%Documenting data processes12%Developing consistent data workflows & mapping42%19%Estimating the risk associated with business processesCollaboration amongst business stakeholders23%

4 Steps to Proactive Privacy ManagementServiceNow and BigID have partnered to enable organizations to build a comprehensive data privacystrategy, proactively manage risk, and sustain compliance.Operationalize and automate proactive privacy across your organization to achieve data-driven privacycompliance and automation for new and emerging data privacy and protection regulations.1Identify regulated, personal, sensitive, and critical data across your datalandscape and maintain a continuously updated privacy-aware inventory2Classify and categorize data by sensitivity, regulation, type, and policy3Automate manual processes - from responding to privacy impact assessmentsto maintaining records of processing4Integrate privacy-aware risk management across your data security, risk,compliance, and governance strategies

About ServiceNowAbout BigIDServiceNow (NYSE: NOW) is making the world of work,work better for people. Our cloud-based platform andsolutions deliver digital workflows that create greatexperiences and unlock productivity for employees andthe enterprise. For more information, visit:www.servicenow.com or www.servicenow.com/privacyBigID’s data intelligence platform enables organizations toknow their enterprise data and take action for privacy,security, and governance. Customers deploy BigID toproactively discover, manage, protect, and get more valuefrom their regulated, sensitive, and personal data across theirdata landscape. For more information, visit: www.bigid.com

Excel sheets (53%) and data mapping or visualization tools such as Vizio (41%) are most commonly used to manage data privacy and compliance. However, commercial or dedicated data privacy tools are also becoming increasingly prevalent as 51% of respondents admit to using them. What tools does your organization currently use to manage