Skip to content

Exterro Study Reveals Data Privacy Compliance Initiatives Mired in Ad Hoc, Manual Processes

New Privacy Compliance Readiness Survey Finds Critical Gaps Facing Legal and Privacy Teams Amidst Mounting Regulatory Pressures

PORTLAND, OR., Nov 2, 2022 -- Exterro, Inc., the preferred provider of Legal GRC software specifically designed for in-house legal, privacy, and IT teams at Global 2000 and Am Law 200 organizations, today announced key findings from a new Privacy Compliance Readiness Survey which polled privacy and compliance leaders at a cross-section of North American organizations on their data privacy compliance priorities to gauge their ability to meet these regulatory requirements.

“As this new study makes clear, organizations of all sizes are struggling to comply and stay current with today’s fast evolving data privacy regulatory landscape. With a raft of new state data privacy laws, along with a proposed Federal data privacy regulation looming on the horizon, data privacy leaders recognize the urgency of improving their compliance readiness yet still find themselves largely reliant on unsustainable manual and ad hoc procedures,” said Ray Pathak, VP of Privacy at Exterro. “Further complicating their compliance readiness is the reality that as data volumes continue to grow at unprecedented rates, their ability to quickly respond and comply with these regulations will be severely limited.”

Today, organizations are faced with a dizzying array of privacy obligations and complex rules dictating the collection, use, disclosure and retention of personal information. Consumers meanwhile have become more educated about their data privacy rights and increasingly will only choose brands that they feel can be trusted to safeguard their data. According to the most recent Chief Legal Officers Survey, 60 percent of respondents reported that they expect to see an increase in the volume of privacy regulatory enforcement in 2022. Yet at this survey demonstrates, only a small minority of organizations are adequately prepared to meet these new compliance challenges.

Some of the key takeaways from the survey include:

  • Data Privacy Extends to the C-Suite: When asked which position bore the primary responsibility for privacy compliance at their organization, the roles of Data Protection Officers and General Counsel unsurprisingly accounted for nearly half (45%) of responses. However, the survey also found that almost a quarter (23%) of other C-Level positions – CEO, CIO and CPO – were directly involved in this function, demonstrating that data privacy has now become a board level concern.
  • Compliance Processes Remain Largely Ad Hoc: Close to half of respondents (44%) reported that they either rely on ad hoc or poorly defined processes for complying with data privacy regulations. Only 16% of those interviewed characterized their compliance process at the highest maturity level of ‘optimized’ according to the AICPA/CICA Data Privacy Maturity Model reference framework.
  • Data Inventory & Retention Capabilities are Largely Deficient: While data privacy leaders understand that their ability to comply with data privacy regulations is contingent on their ability to execute a comprehensive data inventory, almost half (45%) of respondents said they rely on manual survey methods to keep their data inventories updated, while only 17% reported that they are using automated data discovery tools to continuously scan their data inventory. Meanwhile more than half (55%) described their data retention policies as manual.
  • Responding to Digital Subject Access Requests (DSAR) Requires Significant Effort: Data privacy regulations such as GDPR and CCPA grant consumers and employees the right to request what personal information an organization has collected on them. More than a third of respondents (38%) said they relied entirely on ad hoc processes for fulfilling these requests while just 5% reported having an automated process; more than half (51%) said they had either no ability to respond to customer and employee DSARs or that responding required a considerable amount of effort.
  • Informed Consent Continues to Confound: When asked about how their organization allows customers to make informed choices about the data they share and how it’s used, nearly a third (31%) reported that their systems were totally ad hoc; 44% said they use webforms and emails to gather consent and manual processes to send requests to system owners and only 8% reported having a fully automated system in place to communicate consent.

To download the survey, visit Exterro’s website.

About Exterro
Exterro empowers legal teams to proactively and defensibly manage their Legal Governance, Risk, and Compliance (Legal GRC) requirements. Our Legal GRC software is the only comprehensive platform that automates the complex interconnections of privacy, legal operations, digital investigations, cybersecurity response, compliance, and information governance. Thousands of legal teams around the world in corporations, law firms, and government and law enforcement agencies trust our integrated Legal GRC platform to manage their risks and drive successful outcomes at a lower cost. For more information, visit

# # #

Press Contact:

David Splivalo

Platform PR

[email protected]