Of the organizations subject to GDPR, 61% collect more data than GDPR permits. And 46% of firms that experienced an unauthorized data-sharing incident are governed by GDPR.
In addition, 54% fail to follow the best practice of regularly reviewing access rights to data.
While 91% of companies claim they store sensitive and regulated data in secure locations, 24% admit they had found such data outside of the designated locales in the past year, the study says.
Moreover, 30% of system administrators gave access to sensitive data based only upon a request in the past year.
These lapses also expose email addresses and put consumers who hold them at risk of phishing and other forms of attack.
The report also shows that 30% of brands that lack data classification processes "never get rid of redundant, obsolete and trial data, versus only 6% of those that do classify data."
On a positive note, all of the surveyed companies with a chief data officer have implemented data discovery and classification.
However, 64% can't confirm that they gather and store only the minimum amount of customer data they need. And 34% of these are subject to GDPR.
In other findings, 41% of firms that are subject to GDPR and 42% of those that must comply with the CCPA can't classify data at the point of creation in order to prioritize their efforts and focus on the most critical information.
The financial field leads in this, with 54% having adopted data discovery and classification technology.
Moreover, 39% don't feel that low visibility into data creation constitutes a security risk.
In contrast, 50% have done so in the government area, with 46% in health care and 41% in education.
Health care is the most porous vertical in one other way — 46% have granted direct access rights based only a request in the last 12 months, as have 44% of finance respondents. Only 21% of government respondents have done so.
Here are a few more facts that are less than encouraging:
- 66% of chief information security officers (CISOs) and compliance officers are not certain that they store data in secure locations. And 45% of these are subject to GDPR.
- 75% of chief information officers and 71% of CISOS admit that permissions to archived data are not regularly reviewed.
- 58% of firms have had a security incident and say archived data was compromised.
Netwrix surveyed 1045 organizations last fall. Several industries are represented, including healthcare, finance, government, manufacturing, technology/software, education, service, consulting, nonprofit and retail & wholesale.