Source: BigNazik/iStock via Getty images.
Our most recent analysis of organizations’ data privacy insights was drawn from a study conducted by 451 Research from S&P Global Energy. In that research, we found that organizations are cautiously optimistic regarding data privacy management and organizations’ adoption of AI. Organizations’ data privacy initiatives, furthermore, increasingly seek supplemental or primary funding from AI project coffers to align with organization’s objectives and budgets. Regulatory compliance alone is no longer a top motivator for data privacy efforts, as organizations increasingly seek to implement AI for business benefits. The study conducted by 451 Research survey targeted respondents involved in data governance and data privacy functions within their organizations. This blog post presents primary findings, which often vary based on an organization’s geographic scope and “footprint.”
The Take
No data governance or privacy professional is going to argue that data-driven regulations have gotten easier or less complex over the last decade. Regulations themselves are relatively structured, but vast differences across individual jurisdictions can create conflicting standards and objectives, particularly for organizations that operate multinationally. In this sense, the geographic scope of an organization — local or national versus multinational — is often an indicator of specific data governance and privacy practices. Multinational firms, juggling a more complex array of global and local regulations, tend to be somewhat more proactive in data privacy and governance. Yet compliance is not the only motivator for organizations seeking improvements in data governance and data privacy.
The government can issue regulations to protect data. Still, it can also prescribe regulations to permit itself unfettered data access (e.g., the US Clarifying Lawful Overseas Use of Data Act). Accordingly, the motivation to keep organization’s data independent of external access or influence — the idea of sovereignty — is quickly gaining ground, even among organizations that may not have multinational operations. With proprietary data providing the competitive differentiation in an organization’s interaction with LLMs and other GenAI tooling, organizations are more motivated than ever to protect information.
Summary of findings
Data governance and data privacy practices are tightly intertwined and interdependent, especially among multinational organizations. The governance of data and the execution of data privacy practices are highly complementary activities that typically need to be coordinated to ensure success. Many organizations have established an interdependency between data governance and data privacy management (or PrivacyOps), but differences exist depending on an organization’s geographic presence and footprint. While a notable majority (70%) of organizations, overall, report either “significant” or “full” interdependence of data governance and data privacy efforts, multinational organizations are far more likely to report “full” interdependence (43%) of these activities versus companies with a local or national footprint (25%).
IT teams still mainly hold responsibility for data governance and privacy. Yet organizations with a global footprint tend to rely on a much more diverse array of stakeholders. As we have seen in years past, the general IT function is frequently saddled with data governance and data privacy responsibilities, including both decision-making influence and execution duties.
This remains largely true today: 77% overall report that IT is most associated with data governance decision-making, and 82% report that IT is most associated with data governance execution. Similarly, 71% report IT as the function most associated with data privacy management or PrivacyOps decision-making, and 79% acknowledge IT as the group most responsible for data privacy execution.
Differences, however, emerge based on geographic scope. Multinational organizations are more likely to have a much wider variety of organizational functions highly involved in these practices.
While only 51% of local/national organizations report information security as the organizations function most associated with decision-making for data governance practices, 80% of multinational organizations do: the top response for multinationals.
Multinational organizations are also much more likely to report having dedicated privacy teams involved in data governance and data privacy practices.
While multinationals fare better at navigating complex regulations, local peers often are better at addressing internal business and cultural barriers associated with data privacy. The complexity of regulation and law is a common pain point for organizations as they seek to manage data privacy, as legislation constantly evolves worldwide. Overall, 45% report this as a significant organizational challenge: the top aggregate response. Yet differences emerge based on the organization’s geographic footprint; organizations that operate across borders must constantly juggle a broader array of rules and mandates. In this sense, multinational organizations seem better equipped to handle the complexity of regulations and law, with only 26% reporting this as a top challenge, as opposed to 58% of organizations that operate nationally or locally. However, multinationals are not immune to problems. In fact, they are more negatively affected by internal structural challenges. While only 29% of local/national organizations report “internal communication barriers” as a challenge, 49% of multinationals do. Similarly, only 17% of local or national organizations cite “lack of prioritization or leadership” in data privacy as a challenge. Yet 40% of multinational respondents do.
Technical challenges are common in PrivacyOps, but they are not experienced evenly. All struggle with the complexity and volume of data, but larger multinational companies struggle more with tech debt. The technical challenges associated with managing data privacy are diverse in nature, but not experienced evenly across organizations. The “complexity and volume of data” is commonly reported as a data privacy challenge across all types of organizations, with 38% reporting it as the top overall aggregate response. Yet multinational companies are growing older and more expansive in scope, leading to greater technical debt. The top challenge for these organizations isn’t necessarily the complexity or volume of data, but rather the systems that support and manage it. The top overall technical challenge in data privacy for multinationals appears to be “technology UX and usability” at 46%, suggesting a reliance on older or outdated systems. Other disproportionate challenges for multinationals include “reliance on outdated or legacy technology” at 37% and “volume of data subject rights requests” at 40%.
Organizations are wary of “shadow AI.” Business-to-consumer (B2C) organizations have some of the most progressive controls around shadow AI, but the aggregate response suggests that this is a concern for all. The term “shadow AI” refers to any employee usage of AI models, applications, or systems that have not been explicitly sanctioned or adopted by the organization.
The prevailing majority — 80% — of organizations overall either have or are actively developing a formal initiative to control or limit the use of shadow AI.
Upon breaking it down, however, some qualities suggest a higher sensitivity to this potential threat. While organizations with a mixed business-to-business and B2C model tend to be more mature than others in managing data sources, it’s the pure B2C businesses that are leading the charge to rein in shadow AI. A total of 48% of primarily B2C organization respondents report their organization already has a formal initiative and supporting technology for this purpose, as opposed to only 41% among respondents from mixed B2B and B2C organizations.
Organizations are compelled to safeguard their personal or sensitive data from GenAI systems, LLMs, and associated tooling. Both organizational and technical measures are required. Protecting personal or sensitive data from GenAI systems and LLMs can be an uphill battle for organizations, requiring both cultural and technical controls. As LLMs are largely available off-the-shelf, business success and differentiation in results with these tools are largely determined by the curated, proprietary data they are provided with. As such, organizations are highly motivated to keep sensitive and proprietary data out of models that may train on it. Network-level control (often associated with blocking access) at 50% is the top overall reported technical way organizations protect their data from AI training and potential misuse. However, among multinational respondents, cloud sovereignty efforts reign supreme (60%) in the effort to safeguard information.
The business pursuit of sovereign cloud architecture is common. Multinational firms are especially motivated to lend this initiative additional emphasis and resources. Across the board, organizations indicate relatively high interest in pursuing sovereign cloud architecture, with 55% overall reporting either “high” or “critical” prioritization for these efforts. These trends and preferences for sovereign cloud intensify, however, among organizations with a multinational presence — as opposed to those with a more limited local or national footprint. Among the self-identified multinational firms in this survey, none of the respondentsidentify sovereign cloud architecture as having “no prioritization” or “low prioritization.” Alternately, within the same group, 71% indicate that the effort to pursue sovereign cloud architecture was either “high” or “critical” in priority, with just over one quarter indicating “critical” priority.
In pursuing sovereign cloud architecture, organizations cite a very diverse array of issues as motivating factors. Yet some differences exist between local and multinational motives. There is no single, dominant motivating factor for seeking out sovereign cloud architecture. Historically, many data governance and privacy efforts were primarily spurred by regulatory requirements, yet sovereign cloud architecture is pursued today for a wide array of both “proactive” and “reactive” motivations. Survey respondents tend to indicate that nearly all motivations are “significant” drivers. Top responses include the motivation to protect sensitive business data from economic espionage (69%), compliance with industry-agnostic data protection regulations (64%), and adherence to specific data residency requirements (63%). Yet differences still exist between local/national versus multinational organizations. Local or national organizations are more likely to report pursuing sovereign cloud architecture to meet industry-specific regulations or certifications (61% versus 52%). Multinationals are far more concerned about meeting specific data residency requirements (71% versus 52%) and about facilitating the secure use of data-intensive technologies such as AI, GenAI, and LLMs (66% versus 44%).
Organizations are widely adopting agentic AI, and the top motivation for agentic AI governance is not risk mitigation or compliance. Common wisdom might suggest that most data governance and privacy practices are ultimately driven to external pressures, such as regulatory mandates. This doesn’t necessarily hold with agentic AI governance. Eager to implement AI for business purposes, organizations are more likely to embrace AI governance frameworks and technologies. A total of 69% of our survey participants indicate that their organization has adopted some form of agentic AI for business purposes. Within that group of adopters, respondents were asked to rank three categories of motivation to adopt frameworks and/or supporting technologies for governance of agentic AI. While “competitive advantage and commercial facilitation” tops the priority list at 37%, “risk mitigation and compliance” ranks last at 30%.
What is an AI Datacenter?
Want insights on data analytics trends delivered to your inbox? Join the 451 Alliance.
